Guide to the Secure Configuration of Red Hat Enterprise Linux 7
with profile C2S for Red Hat Enterprise Linux 7This profile demonstrates compliance against the U.S. Government Commercial Cloud Services (C2S) baseline. This baseline was inspired by the Center for Internet Security (CIS) Red Hat Enterprise Linux 7 Benchmark, v2.1.1 - 01-31-2017. For the SCAP Security Guide project to remain in compliance with CIS' terms and conditions, specifically Restrictions(8), note there is no representation or claim that the C2S profile will ensure a system is in compliance or consistency with the CIS baseline.
https://www.open-scap.org/security-policies/scap-security-guide
scap-security-guide package which is developed at
https://www.open-scap.org/security-policies/scap-security-guide.
Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.
Evaluation Characteristics
| Evaluation target | os42bastion.localdomain |
|---|---|
| Benchmark URL | /tmp/ssg-rhel7-ds-1.2.xml |
| Benchmark ID | xccdf_org.ssgproject.content_benchmark_RHEL-7 |
| Profile ID | xccdf_org.ssgproject.content_profile_C2S |
| Started at | 2021-02-16T19:41:06 |
| Finished at | 2021-02-16T20:02:15 |
| Performed by | lniesz |
CPE Platforms
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
Addresses
- IPv4 127.0.0.1
- IPv4 192.168.8.248
- IPv6 0:0:0:0:0:0:0:1
- IPv6 fe80:0:0:0:93d5:59a5:d0be:4b3f
- MAC 00:00:00:00:00:00
- MAC 52:54:00:8E:01:3B
Compliance and Scoring
Rule results
Severity of failed rules
Score
| Scoring system | Score | Maximum | Percent |
|---|---|---|---|
| urn:xccdf:scoring:default | 60.114697 | 100.000000 |
Rule Overview
Result Details
Uninstall rsh Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_rsh_removed | ||
| Result | pass | ||
| Time | 2021-02-16T19:41:07 | ||
| Severity | unknown | ||
| Identifiers and References | Identifiers: CCE-27274-0 References: 2.3.2, 3.1.13, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3 | ||
| Description | The | ||
| Rationale | These legacy clients contain numerous security exposures and have
been replaced with the more secure SSH package. Even if the server is removed,
it is best to ensure the clients are also removed to prevent users from
inadvertently attempting to use these commands and therefore exposing
their credentials. Note that removing the | ||
OVAL details package rsh is removed passed because these items were not found:Object oval:ssg-obj_package_rsh_removed:obj:1 of type rpminfo_object
| |||
Disable rlogin Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_rlogin_disabled | ||||||||||||||||||
| Result | pass | ||||||||||||||||||
| Time | 2021-02-16T19:41:07 | ||||||||||||||||||
| Severity | high | ||||||||||||||||||
| Identifiers and References | Identifiers: CCE-27336-7 References: 2.2.17, 1, 11, 12, 14, 15, 16, 3, 5, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.1.13, 3.4.7, CCI-001436, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, AC-17(8), CM-7, IA-5(1)(c), PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, PR.IP-1, PR.PT-3, PR.PT-4 | ||||||||||||||||||
| Description | The $ sudo systemctl disable rlogin.socketThe rlogin socket can be masked with the following command:
$ sudo systemctl mask .socket | ||||||||||||||||||
| Rationale | The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. | ||||||||||||||||||
OVAL details Test that the rlogin service is not running passed because these items were not found:Object oval:ssg-obj_service_not_running_rlogin:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_not_running_rlogin:ste:1 of type systemdunitproperty_state
Test that the property LoadState from the service rlogin is masked passed because these items were not found:Object oval:ssg-obj_service_loadstate_is_masked_rlogin:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_loadstate_is_masked_rlogin:ste:1 of type systemdunitproperty_state
Test that the property FragmentPath from the service rlogin is set to /dev/null passed because these items were not found:Object oval:ssg-obj_service_fragmentpath_is_dev_null_rlogin:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_fragmentpath_is_dev_null_rlogin:ste:1 of type systemdunitproperty_state
| |||||||||||||||||||
Disable rsh Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_rsh_disabled | ||||||||||||||||||
| Result | pass | ||||||||||||||||||
| Time | 2021-02-16T19:41:07 | ||||||||||||||||||
| Severity | high | ||||||||||||||||||
| Identifiers and References | Identifiers: CCE-27337-5 References: 2.2.17, 1, 11, 12, 14, 15, 16, 3, 5, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.1.13, 3.4.7, CCI-000068, CCI-001436, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, AC-17(8), CM-7, IA-5(1)(c), PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, PR.IP-1, PR.PT-3, PR.PT-4 | ||||||||||||||||||
| Description | The $ sudo systemctl disable rsh.socketThe rsh socket can be masked with the following command:
$ sudo systemctl mask .socket | ||||||||||||||||||
| Rationale | The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. | ||||||||||||||||||
OVAL details Test that the rsh service is not running passed because these items were not found:Object oval:ssg-obj_service_not_running_rsh:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_not_running_rsh:ste:1 of type systemdunitproperty_state
Test that the property LoadState from the service rsh is masked passed because these items were not found:Object oval:ssg-obj_service_loadstate_is_masked_rsh:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_loadstate_is_masked_rsh:ste:1 of type systemdunitproperty_state
Test that the property FragmentPath from the service rsh is set to /dev/null passed because these items were not found:Object oval:ssg-obj_service_fragmentpath_is_dev_null_rsh:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_fragmentpath_is_dev_null_rsh:ste:1 of type systemdunitproperty_state
| |||||||||||||||||||
Disable rexec Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_rexec_disabled | ||||||||||||||||||
| Result | pass | ||||||||||||||||||
| Time | 2021-02-16T19:41:07 | ||||||||||||||||||
| Severity | high | ||||||||||||||||||
| Identifiers and References | Identifiers: CCE-27408-4 References: 2.2.17, 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, 3.1.13, 3.4.7, CCI-000068, CCI-001436, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, AC-17(8), CM-7, PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4 | ||||||||||||||||||
| Description | The $ sudo systemctl disable rexec.socketThe rexec socket can be masked with the following command:
$ sudo systemctl mask .socket | ||||||||||||||||||
| Rationale | The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. | ||||||||||||||||||
OVAL details Test that the rexec service is not running passed because these items were not found:Object oval:ssg-obj_service_not_running_rexec:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_not_running_rexec:ste:1 of type systemdunitproperty_state
Test that the property LoadState from the service rexec is masked passed because these items were not found:Object oval:ssg-obj_service_loadstate_is_masked_rexec:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_loadstate_is_masked_rexec:ste:1 of type systemdunitproperty_state
Test that the property FragmentPath from the service rexec is set to /dev/null passed because these items were not found:Object oval:ssg-obj_service_fragmentpath_is_dev_null_rexec:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_fragmentpath_is_dev_null_rexec:ste:1 of type systemdunitproperty_state
| |||||||||||||||||||
Remove Rsh Trust Files
| Rule ID | xccdf_org.ssgproject.content_rule_no_rsh_trust_files | ||||||||||||||
| Result | pass | ||||||||||||||
| Time | 2021-02-16T19:41:07 | ||||||||||||||
| Severity | high | ||||||||||||||
| Identifiers and References | Identifiers: CCE-27406-8 References: 6.2.14, 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-001436, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, AC-17(8), CM-7, PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4 | ||||||||||||||
| Description | The files $ sudo rm /etc/hosts.equiv $ rm ~/.rhosts | ||||||||||||||
| Rationale | Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system. | ||||||||||||||
OVAL details look for .rhosts or .shosts in /root passed because these items were not found:Object oval:ssg-object_no_rsh_trust_files_root:obj:1 of type file_object
look for .rhosts or .shosts in /home passed because these items were not found:Object oval:ssg-object_no_rsh_trust_files_home:obj:1 of type file_object
look for /etc/hosts.equiv or /etc/shosts.equiv passed because these items were not found:Object oval:ssg-object_no_rsh_trust_files_etc:obj:1 of type file_object
| |||||||||||||||
Remove telnet Clients
| Rule ID | xccdf_org.ssgproject.content_rule_package_telnet_removed | ||
| Result | pass | ||
| Time | 2021-02-16T19:41:07 | ||
| Severity | low | ||
| Identifiers and References | Identifiers: CCE-27305-2 References: 2.3.4, 3.1.13, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3 | ||
| Description | The telnet client allows users to start connections to other systems via the telnet protocol. | ||
| Rationale | The | ||
OVAL details package telnet is removed passed because these items were not found:Object oval:ssg-obj_package_telnet_removed:obj:1 of type rpminfo_object
| |||
Disable telnet Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_telnet_disabled | ||||||||||||||||||
| Result | pass | ||||||||||||||||||
| Time | 2021-02-16T19:41:07 | ||||||||||||||||||
| Severity | high | ||||||||||||||||||
| Identifiers and References | Identifiers: CCE-27401-9 References: 2.2.18, 1, 11, 12, 14, 15, 16, 3, 5, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.1.13, 3.4.7, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, AC-17(8), CM-7, IA-5(1)(c), PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, PR.IP-1, PR.PT-3, PR.PT-4 | ||||||||||||||||||
| Description | The
# description: The telnet server serves telnet sessions; it uses \\
# unencrypted username/password pairs for authentication.
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = yes
}
If the /etc/xinetd.d/telnet file does not exist, make sure that
the activation of the telnet service on system boot is disabled
via the following command:
The rexec socket can be disabled with the following command:
$ sudo systemctl disable rexec.socketThe rexec socket can be masked with the following command:
$ sudo systemctl mask .socket | ||||||||||||||||||
| Rationale | The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. The telnet protocol is also subject to man-in-the-middle attacks. | ||||||||||||||||||
OVAL details Test that the telnet service is not running passed because these items were not found:Object oval:ssg-obj_service_not_running_telnet:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_not_running_telnet:ste:1 of type systemdunitproperty_state
Test that the property LoadState from the service telnet is masked passed because these items were not found:Object oval:ssg-obj_service_loadstate_is_masked_telnet:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_loadstate_is_masked_telnet:ste:1 of type systemdunitproperty_state
Test that the property FragmentPath from the service telnet is set to /dev/null passed because these items were not found:Object oval:ssg-obj_service_fragmentpath_is_dev_null_telnet:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_fragmentpath_is_dev_null_telnet:ste:1 of type systemdunitproperty_state
| |||||||||||||||||||
Remove NIS Client
| Rule ID | xccdf_org.ssgproject.content_rule_package_ypbind_removed | ||
| Result | pass | ||
| Time | 2021-02-16T19:41:07 | ||
| Severity | unknown | ||
| Identifiers and References | Identifiers: CCE-27396-1 References: 2.3.1, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | ||
| Description | The Network Information Service (NIS), formerly known as Yellow Pages,
is a client-server directory service protocol used to distribute system configuration
files. The NIS client ( | ||
| Rationale | The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed. | ||
OVAL details package ypbind is removed passed because these items were not found:Object oval:ssg-obj_package_ypbind_removed:obj:1 of type rpminfo_object
| |||
Uninstall ypserv Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_ypserv_removed | ||
| Result | pass | ||
| Time | 2021-02-16T19:41:07 | ||
| Severity | high | ||
| Identifiers and References | Identifiers: CCE-27399-5 References: 2.2.16, 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000381, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, AC-17(8), CM-7(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000095-GPOS-00049, RHEL-07-020010, SV-86593r2_rule | ||
| Description | The $ sudo yum erase ypserv | ||
| Rationale | The NIS service provides an unencrypted authentication service which does
not provide for the confidentiality and integrity of user passwords or the
remote session.
Removing the | ||
OVAL details package ypserv is removed passed because these items were not found:Object oval:ssg-obj_package_ypserv_removed:obj:1 of type rpminfo_object
| |||
Disable tftp Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_tftp_disabled | ||||||||||||||||||
| Result | pass | ||||||||||||||||||
| Time | 2021-02-16T19:41:08 | ||||||||||||||||||
| Severity | medium | ||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80212-4 References: 2.1.6, 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-001436, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, AC-17(8), CM-7, PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4 | ||||||||||||||||||
| Description | The $ sudo systemctl disable tftp.serviceThe tftp service can be masked with the following command:
$ sudo systemctl mask tftp.service | ||||||||||||||||||
| Rationale | Disabling the | ||||||||||||||||||
OVAL details Test that the tftp service is not running passed because these items were not found:Object oval:ssg-obj_service_not_running_tftp:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_not_running_tftp:ste:1 of type systemdunitproperty_state
Test that the property LoadState from the service tftp is masked passed because these items were not found:Object oval:ssg-obj_service_loadstate_is_masked_tftp:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_loadstate_is_masked_tftp:ste:1 of type systemdunitproperty_state
Test that the property FragmentPath from the service tftp is set to /dev/null passed because these items were not found:Object oval:ssg-obj_service_fragmentpath_is_dev_null_tftp:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_fragmentpath_is_dev_null_tftp:ste:1 of type systemdunitproperty_state
| |||||||||||||||||||
Install tcp_wrappers Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_tcp_wrappers_installed | ||||||||||||||||
| Result | pass | ||||||||||||||||
| Time | 2021-02-16T19:41:08 | ||||||||||||||||
| Severity | medium | ||||||||||||||||
| Identifiers and References | Identifiers: CCE-27361-5 References: 3.4.1, 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, CCI-000366, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(b), PR.IP-1, SRG-OS-000480-GPOS-00227 | ||||||||||||||||
| Description | When network services are using the $ sudo yum install tcp_wrappers | ||||||||||||||||
| Rationale | Access control methods provide the ability to enhance system security posture by restricting services and known good IP addresses and address ranges. This prevents connections from unknown hosts and protocols. | ||||||||||||||||
OVAL details package tcp_wrappers is installed passed because of these items:
| |||||||||||||||||
Disable xinetd Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_xinetd_disabled | ||||||||||||||||||
| Result | pass | ||||||||||||||||||
| Time | 2021-02-16T19:41:08 | ||||||||||||||||||
| Severity | medium | ||||||||||||||||||
| Identifiers and References | Identifiers: CCE-27443-1 References: 2.1.7, 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, 3.4.7, CCI-000305, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, AC-17(8), CM-7, PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4 | ||||||||||||||||||
| Description | The $ sudo systemctl disable xinetd.serviceThe xinetd service can be masked with the following command: $ sudo systemctl mask xinetd.service | ||||||||||||||||||
| Rationale | The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services. Disabling it ensures that these uncommon services are not running, and also prevents attacks against xinetd itself. | ||||||||||||||||||
OVAL details Test that the xinetd service is not running passed because these items were not found:Object oval:ssg-obj_service_not_running_xinetd:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_not_running_xinetd:ste:1 of type systemdunitproperty_state
Test that the property LoadState from the service xinetd is masked passed because these items were not found:Object oval:ssg-obj_service_loadstate_is_masked_xinetd:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_loadstate_is_masked_xinetd:ste:1 of type systemdunitproperty_state
Test that the property FragmentPath from the service xinetd is set to /dev/null passed because these items were not found:Object oval:ssg-obj_service_fragmentpath_is_dev_null_xinetd:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_fragmentpath_is_dev_null_xinetd:ste:1 of type systemdunitproperty_state
| |||||||||||||||||||
Uninstall talk Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_talk_removed | ||
| Result | pass | ||
| Time | 2021-02-16T19:41:08 | ||
| Severity | medium | ||
| Identifiers and References | Identifiers: CCE-27432-4 References: 2.3.3, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | ||
| Description | The $ sudo yum erase talk | ||
| Rationale | The talk software presents a security risk as it uses unencrypted protocols
for communications. Removing the | ||
OVAL details package talk is removed passed because these items were not found:Object oval:ssg-obj_package_talk_removed:obj:1 of type rpminfo_object
| |||
Uninstall talk-server Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_talk-server_removed | ||
| Result | pass | ||
| Time | 2021-02-16T19:41:08 | ||
| Severity | medium | ||
| Identifiers and References | Identifiers: CCE-27210-4 References: 2.2.21, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) | ||
| Description | The $ sudo yum erase talk-server | ||
| Rationale | The talk software presents a security risk as it uses unencrypted protocols
for communications. Removing the | ||
OVAL details package talk-server is removed passed because these items were not found:Object oval:ssg-obj_package_talk-server_removed:obj:1 of type rpminfo_object
| |||
Disable vsftpd Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_vsftpd_disabled | ||||||||||||||||||
| Result | pass | ||||||||||||||||||
| Time | 2021-02-16T19:41:08 | ||||||||||||||||||
| Severity | unknown | ||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80244-7 References: 2.2.9, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-001436, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7, PR.IP-1, PR.PT-3 | ||||||||||||||||||
| Description | The $ sudo systemctl disable vsftpd.serviceThe vsftpd service can be masked with the following command: $ sudo systemctl mask vsftpd.service | ||||||||||||||||||
| Rationale | Running FTP server software provides a network-based avenue of attack, and should be disabled if not needed. Furthermore, the FTP protocol is unencrypted and creates a risk of compromising sensitive information. | ||||||||||||||||||
OVAL details Test that the vsftpd service is not running passed because these items were not found:Object oval:ssg-obj_service_not_running_vsftpd:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_not_running_vsftpd:ste:1 of type systemdunitproperty_state
Test that the property LoadState from the service vsftpd is masked passed because these items were not found:Object oval:ssg-obj_service_loadstate_is_masked_vsftpd:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_loadstate_is_masked_vsftpd:ste:1 of type systemdunitproperty_state
Test that the property FragmentPath from the service vsftpd is set to /dev/null passed because these items were not found:Object oval:ssg-obj_service_fragmentpath_is_dev_null_vsftpd:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_fragmentpath_is_dev_null_vsftpd:ste:1 of type systemdunitproperty_state
| |||||||||||||||||||
Disable snmpd Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_snmpd_disabled | ||||||||||||||||||
| Result | pass | ||||||||||||||||||
| Time | 2021-02-16T19:41:08 | ||||||||||||||||||
| Severity | unknown | ||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80274-4 References: 2.2.14, SRG-OS-000480-VMM-002000 | ||||||||||||||||||
| Description | The $ sudo systemctl disable snmpd.serviceThe snmpd service can be masked with the following command: $ sudo systemctl mask snmpd.service | ||||||||||||||||||
| Rationale | Running SNMP software provides a network-based avenue of attack, and should be disabled if not needed. | ||||||||||||||||||
OVAL details Test that the snmpd service is not running passed because these items were not found:Object oval:ssg-obj_service_not_running_snmpd:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_not_running_snmpd:ste:1 of type systemdunitproperty_state
Test that the property LoadState from the service snmpd is masked passed because these items were not found:Object oval:ssg-obj_service_loadstate_is_masked_snmpd:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_loadstate_is_masked_snmpd:ste:1 of type systemdunitproperty_state
Test that the property FragmentPath from the service snmpd is set to /dev/null passed because these items were not found:Object oval:ssg-obj_service_fragmentpath_is_dev_null_snmpd:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_fragmentpath_is_dev_null_snmpd:ste:1 of type systemdunitproperty_state
| |||||||||||||||||||
Enable cron Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_crond_enabled | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Result | pass | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Time | 2021-02-16T19:41:08 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-27323-5 References: 5.1.1, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7, PR.IP-1, PR.PT-3 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description | The $ sudo systemctl enable crond.service | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Rationale | Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details Test that the crond service is running passed because of these items:
systemd test passed because of these items:
systemd test passed because of these items:
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remove the X Windows Package Group
| Rule ID | xccdf_org.ssgproject.content_rule_package_xorg-x11-server-common_removed | ||
| Result | pass | ||
| Time | 2021-02-16T19:41:08 | ||
| Severity | medium | ||
| Identifiers and References | Identifiers: CCE-27218-7 References: 2.2.2, 12, 15, 8, APO13.01, DSS01.04, DSS05.02, DSS05.03, CCI-000366, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, AC-17(8).1(ii), PR.AC-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-07-040730, SV-86931r4_rule | ||
| Description | By removing the xorg-x11-server-common package, the system no longer has X Windows
installed. If X Windows is not installed then the system cannot boot into graphical user mode.
This prevents the system from being accidentally or maliciously booted into a $ sudo yum groupremove "X Window System" $ sudo yum remove xorg-x11-server-common | ||
| Rationale | Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security vulnerabilities and should not be installed unless approved and documented. | ||
OVAL details package xorg-x11-server-common is removed passed because these items were not found:Object oval:ssg-obj_package_xorg-x11-server-common_removed:obj:1 of type rpminfo_object
| |||
Disable named Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_named_disabled | ||||||||||||||||||
| Result | pass | ||||||||||||||||||
| Time | 2021-02-16T19:41:08 | ||||||||||||||||||
| Severity | unknown | ||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80325-4 References: 2.2.8, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7, PR.IP-1, PR.PT-3 | ||||||||||||||||||
| Description | The $ sudo systemctl disable named.serviceThe named service can be masked with the following command: $ sudo systemctl mask named.service | ||||||||||||||||||
| Rationale | All network services involve some risk of compromise due to implementation flaws and should be disabled if possible. | ||||||||||||||||||
OVAL details Test that the named service is not running passed because these items were not found:Object oval:ssg-obj_service_not_running_named:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_not_running_named:ste:1 of type systemdunitproperty_state
Test that the property LoadState from the service named is masked passed because these items were not found:Object oval:ssg-obj_service_loadstate_is_masked_named:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_loadstate_is_masked_named:ste:1 of type systemdunitproperty_state
Test that the property FragmentPath from the service named is set to /dev/null passed because these items were not found:Object oval:ssg-obj_service_fragmentpath_is_dev_null_named:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_fragmentpath_is_dev_null_named:ste:1 of type systemdunitproperty_state
| |||||||||||||||||||
Uninstall openldap-servers Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_openldap-servers_removed | ||
| Result | pass | ||
| Time | 2021-02-16T19:41:08 | ||
| Severity | unknown | ||
| Identifiers and References | Identifiers: CCE-80293-4 References: 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7, PR.IP-1, PR.PT-3 | ||
| Description | The $ sudo yum erase openldap-serversThe openldap-servers RPM is not installed by default on a Red Hat Enterprise Linux 7 system. It is needed only by the OpenLDAP server, not by the clients which use LDAP for authentication. If the system is not intended for use as an LDAP Server it should be removed. | ||
| Rationale | Unnecessary packages should not be installed to decrease the attack surface of the system. While this software is clearly essential on an LDAP server, it is not necessary on typical desktop or workstation systems. | ||
OVAL details package openldap-servers is removed passed because these items were not found:Object oval:ssg-obj_package_openldap-servers_removed:obj:1 of type rpminfo_object
| |||
Disable Postfix Network Listening
| Rule ID | xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled | ||||
| Result | pass | ||||
| Time | 2021-02-16T19:41:08 | ||||
| Severity | medium | ||||
| Identifiers and References | Identifiers: CCE-80289-2 References: 2.2.15, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000382, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7, PR.IP-1, PR.PT-3 | ||||
| Description | Edit the file inet_interfaces = localhost | ||||
| Rationale | This ensures | ||||
OVAL details inet_interfaces in /etc/postfix/main.cf should be set correctly passed because of these items:
| |||||
Disable Samba
| Rule ID | xccdf_org.ssgproject.content_rule_service_smb_disabled | ||||||||||||||||||
| Result | pass | ||||||||||||||||||
| Time | 2021-02-16T19:41:08 | ||||||||||||||||||
| Severity | unknown | ||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80277-7 References: 2.2.12, CCI-001436 | ||||||||||||||||||
| Description | The $ sudo systemctl disable smb.serviceThe smb service can be masked with the following command: $ sudo systemctl mask smb.service | ||||||||||||||||||
| Rationale | Running a Samba server provides a network-based avenue of attack, and should be disabled if not needed. | ||||||||||||||||||
OVAL details Test that the smb service is not running passed because these items were not found:Object oval:ssg-obj_service_not_running_smb:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_not_running_smb:ste:1 of type systemdunitproperty_state
Test that the property LoadState from the service smb is masked passed because these items were not found:Object oval:ssg-obj_service_loadstate_is_masked_smb:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_loadstate_is_masked_smb:ste:1 of type systemdunitproperty_state
Test that the property FragmentPath from the service smb is set to /dev/null passed because these items were not found:Object oval:ssg-obj_service_fragmentpath_is_dev_null_smb:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_fragmentpath_is_dev_null_smb:ste:1 of type systemdunitproperty_state
| |||||||||||||||||||
Disable httpd Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_httpd_disabled | ||||||||||||||||||
| Result | fail | ||||||||||||||||||
| Time | 2021-02-16T19:41:08 | ||||||||||||||||||
| Severity | unknown | ||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80300-7 References: 2.2.10, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7, PR.IP-1, PR.PT-3 | ||||||||||||||||||
| Description | The $ sudo systemctl disable httpd.serviceThe httpd service can be masked with the following command: $ sudo systemctl mask httpd.service | ||||||||||||||||||
| Rationale | Running web server software provides a network-based avenue of attack, and should be disabled if not needed. | ||||||||||||||||||
OVAL details Test that the httpd service is not running failed because of these items:
Test that the property LoadState from the service httpd is masked failed because of these items:
Test that the property FragmentPath from the service httpd is set to /dev/null failed because of these items:
| |||||||||||||||||||
Remediation Shell script: (show)
| |||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||
Enable the NTP Daemon
| Rule ID | xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled |
| Result | fail |
| Time | 2021-02-16T19:41:09 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-27444-9 References: 2.2.1.1, 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, 3.3.7, CCI-000160, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, AU-8(1), PR.PT-1, Req-10.4, SRG-OS-000356-VMM-001340 |
| Description |
Run the following command to determine the current status of the
$ systemctl is-active chronydIf the service is running, it should return the following: activeNote: The chronyd daemon is enabled by default.
Run the following command to determine the current status of the ntpd service:
$ systemctl is-active ntpdIf the service is running, it should return the following: activeNote: The ntpd daemon is not enabled by default. Though as mentioned
in the previous sections in certain environments the ntpd daemon might
be preferred to be used rather than the chronyd one. Refer to:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html
for guidance which NTP daemon to choose depending on the environment used. |
| Rationale | Enabling some of |
Remediation Shell script: (show) | |
Disable Red Hat Network Service (rhnsd)
| Rule ID | xccdf_org.ssgproject.content_rule_service_rhnsd_disabled | ||||||||||||||||||
| Result | fail | ||||||||||||||||||
| Time | 2021-02-16T19:41:09 | ||||||||||||||||||
| Severity | unknown | ||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80269-4 References: 1.2.5, 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000382, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, AC-17(8), CM-7, PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4 | ||||||||||||||||||
| Description | The Red Hat Network service automatically queries Red Hat Network
servers to determine whether there are any actions that should be executed,
such as package updates. This only occurs if the system was registered to an
RHN server or satellite and managed as such.
The $ sudo systemctl disable rhnsd.serviceThe rhnsd service can be masked with the following command:
$ sudo systemctl mask rhnsd.service | ||||||||||||||||||
| Rationale | Although systems management and patching is extremely important to
system security, management by a system outside the enterprise enclave is not
desirable for some environments. However, if the system is being managed by RHN or
RHN Satellite Server the | ||||||||||||||||||
OVAL details Test that the rhnsd service is not running failed because of these items:
Test that the property LoadState from the service rhnsd is masked failed because of these items:
Test that the property FragmentPath from the service rhnsd is set to /dev/null failed because of these items:
| |||||||||||||||||||
Remediation Shell script: (show)
| |||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||
Disable SSH Access via Empty Passwords
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords | ||||||||||||||
| Result | pass | ||||||||||||||
| Time | 2021-02-16T19:41:09 | ||||||||||||||
| Severity | high | ||||||||||||||
| Identifiers and References | Identifiers: CCE-27471-2 References: 5.2.9, 11, 12, 13, 14, 15, 16, 18, 3, 5, 9, 5.5.6, APO01.06, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, 3.1.1, 3.1.5, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-3, AC-6, AC-17(b), CM-6(b), PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-3, FIA_AFL.1, SRG-OS-000480-GPOS-00229, RHEL-07-010300, SV-86563r3_rule, SRG-OS-000480-VMM-002000 | ||||||||||||||
| Description | To explicitly disallow SSH login from accounts with
empty passwords, add or correct the following line in PermitEmptyPasswords no Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords. | ||||||||||||||
| Rationale | Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. | ||||||||||||||
OVAL details tests the value of PermitEmptyPasswords setting in the /etc/ssh/sshd_config file passed because these items were not found:Object oval:ssg-obj_sshd_disable_empty_passwords:obj:1 of type textfilecontent54_object
State oval:ssg-state_sshd_disable_empty_passwords:ste:1 of type textfilecontent54_state
tests the absence of PermitEmptyPasswords setting in the /etc/ssh/sshd_config file passed because these items were not found:Object oval:ssg-obj_sshd_disable_empty_passwords_default_not_overriden:obj:1 of type textfilecontent54_object
| |||||||||||||||
Set SSH Client Alive Max Count
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_set_keepalive | ||||||||
| Result | fail | ||||||||
| Time | 2021-02-16T19:41:09 | ||||||||
| Severity | medium | ||||||||
| Identifiers and References | Identifiers: CCE-27082-7 References: 5.2.12, 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.5.6, APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.11, CCI-000879, CCI-001133, CCI-002361, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AC-2(5), SA-8, AC-12, AC-17(b), SC-10, DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109A, RHEL-07-040340, SV-86865r4_rule, SRG-OS-000480-VMM-002000 | ||||||||
| Description | To ensure the SSH idle timeout occurs precisely when the ClientAliveCountMax 0 | ||||||||
| Rationale | This ensures a user login will be terminated as soon as the | ||||||||
OVAL details Tests the value of the ClientAliveCountMax setting in the /etc/ssh/sshd_config file failed because these items were missing:Object oval:ssg-obj_sshd_clientalivecountmax:obj:1 of type textfilecontent54_object
State oval:ssg-state_sshd_clientalivecountmax:ste:1 of type textfilecontent54_state
| |||||||||
Remediation Shell script: (show) | |||||||||
Remediation Ansible snippet: (show)
| |||||||||
Set SSH Idle Timeout Interval
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout | ||||||||
| Result | fail | ||||||||
| Time | 2021-02-16T19:41:09 | ||||||||
| Severity | medium | ||||||||
| Identifiers and References | Identifiers: CCE-27433-2 References: NT28(R29), 5.2.12, 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.5.6, APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.11, CCI-000879, CCI-001133, CCI-002361, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AC-2(5), SA-8(i), AC-12, AC-17(b), SC-10, DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2, Req-8.1.8, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, SRG-OS-000126-GPOS-00066, RHEL-07-040320, SV-86861r4_rule, SRG-OS-000480-VMM-002000 | ||||||||
| Description | SSH allows administrators to set an idle timeout
interval.
After this interval has passed, the idle user will be
automatically logged out.
ClientAliveInterval 300The timeout interval is given in seconds. To have a timeout of e.g. 10 minutes, set interval to 600. If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle. | ||||||||
| Rationale | Terminating an idle ssh session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended. | ||||||||
OVAL details timeout is configured failed because these items were missing:Object oval:ssg-object_sshd_idle_timeout:obj:1 of type textfilecontent54_object
State oval:ssg-state_timeout_value_upper_bound:ste:1 of type textfilecontent54_state
| |||||||||
Remediation Shell script: (show) | |||||||||
Remediation Ansible snippet: (show)
| |||||||||
Use Only FIPS 140-2 Validated MACs
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_use_approved_macs | ||||||
| Result | fail | ||||||
| Time | 2021-02-16T19:41:09 | ||||||
| Severity | medium | ||||||
| Identifiers and References | Identifiers: CCE-27455-5 References: 5.2.12, 1, 12, 13, 15, 16, 5, 8, APO01.06, APO13.01, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.07, DSS06.02, DSS06.03, 3.1.13, 3.13.11, 3.13.8, CCI-000068, CCI-000803, CCI-001453, CCI-000877, CCI-003123, 164.308(b)(1), 164.308(b)(2), 164.312(e)(1), 164.312(e)(2)(i), 164.312(e)(2)(ii), 164.314(b)(2)(i), 4.3.3.5.1, 4.3.3.6.6, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.11.2.6, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AC-17(b), AC-17(2), IA-7, SC-13, MA-4(6), PR.AC-1, PR.AC-3, PR.DS-5, PR.PT-4, SRG-OS-000250-GPOS-00093, SRG-OS-000125-GPOS-00065, SRG-OS-000394-GPOS-00174, RHEL-07-040400, SV-86877r3_rule, SRG-OS-000033-VMM-000140, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000480-VMM-002000, SRG-OS-000396-VMM-001590 | ||||||
| Description | Limit the MACs to those hash algorithms which are FIPS-approved.
The following line in MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1The man page sshd_config(5) contains a list of supported MACs.
Only the following message authentication codes are FIPS 140-2 certified on Red Hat Enterprise Linux 7: - hmac-sha1 - hmac-sha2-256 - hmac-sha2-512 - hmac-sha1-etm@openssh.com - hmac-sha2-256-etm@openssh.com - hmac-sha2-512-etm@openssh.com Any combination of the above MACs will pass this check. Official FIPS 140-2 paperwork for Red Hat Enterprise Linux 7 can be found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf | ||||||
| Rationale | DoD Information Systems are required to use FIPS-approved cryptographic hash functions. The only SSHv2 hash algorithms meeting this requirement is SHA2. | ||||||
| Warnings | warning
The system needs to be rebooted for these changes to take effect. warning
The Federal Information Systems Modernization Act (FISMA), requires cryptography protecting sensitive
or valuable data to undergo FIPS 140 validation. The U.S. National Institute of Standards and
Technology (NIST) views unvalidated cryptography as providing no protection to the information or
data—in effect the data would be considered unprotected plaintext. If the agency specifies that the
information or data be cryptographically protected, FIPS 140 is applicable. This configuration
check will fail on platforms lacking FIPS 140 validation, such as the CentOS, Scientific Linux,
and Fedora projects, even if FIPS-approved ciphers can be installed and enabled.
See https://csrc.nist.gov/Projects/cryptographic-module-validation-program for more information about the Cryptographic Validation Program. A list of FIPS validated cryptographic modules can be found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm. The validated cryptographic modules only apply to the products and companies listed in the active validation list. | ||||||
OVAL details tests the value of MACs setting in the /etc/ssh/sshd_config file failed because these items were missing:Object oval:ssg-obj_sshd_use_approved_macs:obj:1 of type variable_object
State oval:ssg-ste_sshd_use_approved_macs:ste:1 of type variable_state
| |||||||
Remediation Shell script: (show) | |||||||
Remediation Ansible snippet: (show)
| |||||||
Do Not Allow SSH Environment Options
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env | ||||||||
| Result | fail | ||||||||
| Time | 2021-02-16T19:41:09 | ||||||||
| Severity | medium | ||||||||
| Identifiers and References | Identifiers: CCE-27363-1 References: 5.2.10, 11, 3, 9, 5.5.6, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-17(b), CM-6(b), PR.IP-1, SRG-OS-000480-GPOS-00229, RHEL-07-010460, SV-86581r3_rule, SRG-OS-000480-VMM-002000 | ||||||||
| Description | To ensure users are not able to override environment
variables of the SSH daemon, add or correct the following line
in PermitUserEnvironment no | ||||||||
| Rationale | SSH environment options potentially allow users to bypass access restriction in some configurations. | ||||||||
OVAL details tests the value of PermitUserEnvironment setting in the /etc/ssh/sshd_config file failed because these items were missing:Object oval:ssg-obj_sshd_do_not_permit_user_env:obj:1 of type textfilecontent54_object
State oval:ssg-state_sshd_do_not_permit_user_env:ste:1 of type textfilecontent54_state
| |||||||||
Remediation Shell script: (show)
| |||||||||
Remediation Ansible snippet: (show)
| |||||||||
Allow Only SSH Protocol 2
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2 | ||||||||
| Result | fail | ||||||||
| Time | 2021-02-16T19:41:09 | ||||||||
| Severity | high | ||||||||
| Identifiers and References | Identifiers: CCE-27320-1 References: 5.2.2, 1, 12, 15, 16, 5, 8, 5.5.6, APO13.01, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.13, 3.5.4, CCI-000197, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, AC-17(b), AC-17(8).1(ii), IA-5(1)(c), PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, PR.PT-4, SRG-OS-000074-GPOS-00042, SRG-OS-000480-GPOS-00227, RHEL-07-040390, SV-86875r4_rule, SRG-OS-000033-VMM-000140 | ||||||||
| Description | Only SSH protocol version 2 connections should be
permitted. The default setting in
Protocol 2 | ||||||||
| Rationale | SSH protocol version 1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system. | ||||||||
| Warnings | warning
As of openssh-server version 7.4 and above, the only protocol
supported is version 2, and line Protocol 2in /etc/ssh/sshd_config is not necessary. | ||||||||
OVAL details tests the value of Protocol setting in the /etc/ssh/sshd_config file failed because these items were missing:Object oval:ssg-obj_sshd_allow_only_protocol2:obj:1 of type textfilecontent54_object
State oval:ssg-state_sshd_allow_only_protocol2:ste:1 of type textfilecontent54_state
| |||||||||
Remediation Shell script: (show)
| |||||||||
Remediation Ansible snippet: (show)
| |||||||||
Set LogLevel to INFO
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info | ||||||||||||||
| Result | pass | ||||||||||||||
| Time | 2021-02-16T19:41:09 | ||||||||||||||
| Severity | low | ||||||||||||||
| Identifiers and References | Identifiers: CCE-80645-5 | ||||||||||||||
| Description | The INFO parameter specifices that record login and logout activity will be logged.
To specify the log level in
SSH, add or correct the following line in the LogLevel INFO | ||||||||||||||
| Rationale | SSH provides several logging levels with varying amounts of verbosity. | ||||||||||||||
OVAL details tests the value of LogLevel setting in the /etc/ssh/sshd_config file passed because these items were not found:Object oval:ssg-obj_sshd_set_loglevel_info:obj:1 of type textfilecontent54_object
State oval:ssg-state_sshd_set_loglevel_info:ste:1 of type textfilecontent54_state
tests the absence of LogLevel setting in the /etc/ssh/sshd_config file passed because these items were not found:Object oval:ssg-obj_sshd_set_loglevel_info_default_not_overriden:obj:1 of type textfilecontent54_object
| |||||||||||||||
Enable Encrypted X11 Forwarding
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding | ||||
| Result | pass | ||||
| Time | 2021-02-16T19:41:09 | ||||
| Severity | high | ||||
| Identifiers and References | Identifiers: CCE-80226-4 References: 5.2.4, 1, 11, 12, 13, 15, 16, 18, 20, 3, 4, 6, 9, BAI03.08, BAI07.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS03.01, 3.1.13, CCI-000366, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 7.6, A.12.1.1, A.12.1.2, A.12.1.4, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-2(1)(b), DE.AE-1, PR.DS-7, PR.IP-1, SRG-OS-000480-GPOS-00227, RHEL-07-040710, SV-86927r4_rule | ||||
| Description | By default, remote X11 connections are not encrypted when initiated
by users. SSH has the capability to encrypt remote X11 connections when SSH's
X11Forwarding yes | ||||
| Rationale | Open X displays allow an attacker to capture keystrokes and to execute commands remotely. | ||||
OVAL details tests the value of X11Forwarding setting in the /etc/ssh/sshd_config file passed because of these items:
| |||||
Use Only FIPS 140-2 Validated Ciphers
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers | ||||||||
| Result | fail | ||||||||
| Time | 2021-02-16T19:41:09 | ||||||||
| Severity | medium | ||||||||
| Identifiers and References | Identifiers: CCE-27295-5 References: 5.2.10, 1, 11, 12, 14, 15, 16, 18, 3, 5, 6, 8, 9, 5.5.6, APO11.04, APO13.01, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, MEA02.01, 3.1.13, 3.13.11, 3.13.8, CCI-000068, CCI-000366, CCI-000803, 164.308(b)(1), 164.308(b)(2), 164.312(e)(1), 164.312(e)(2)(i), 164.312(e)(2)(ii), 164.314(b)(2)(i), 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.18.1.4, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AC-3, AC-17(b), AC-17(2), AU-10(5), CM-6(b), IA-5(1)(c), IA-7, SI-7, SC-13, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-1, PR.PT-1, PR.PT-3, PR.PT-4, SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, RHEL-07-040110, SV-86845r3_rule, SRG-OS-000033-VMM-000140, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | ||||||||
| Description | Limit the ciphers to those algorithms which are FIPS-approved.
Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.
The following line in Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbcThe man page sshd_config(5) contains a list of supported ciphers.
The following ciphers are FIPS 140-2 certified on Red Hat Enterprise Linux 7: - aes128-ctr - aes192-ctr - aes256-ctr - aes128-cbc - aes192-cbc - aes256-cbc - 3des-cbc - rijndael-cbc@lysator.liu.se Any combination of the above ciphers will pass this check. Official FIPS 140-2 paperwork for Red Hat Enterprise Linux 7 can be found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf | ||||||||
| Rationale | Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore
cannot be relied upon to provide confidentiality or integrity, and system data may be compromised.
| ||||||||
| Warnings | warning
The system needs to be rebooted for these changes to take effect. warning
The Federal Information Systems Modernization Act (FISMA), requires cryptography protecting sensitive
or valuable data to undergo FIPS 140 validation. The U.S. National Institute of Standards and
Technology (NIST) views unvalidated cryptography as providing no protection to the information or
data—in effect the data would be considered unprotected plaintext. If the agency specifies that the
information or data be cryptographically protected, FIPS 140 is applicable. This configuration
check will fail on platforms lacking FIPS 140 validation, such as the CentOS, Scientific Linux,
and Fedora projects, even if FIPS-approved ciphers can be installed and enabled.
See https://csrc.nist.gov/Projects/cryptographic-module-validation-program for more information about the Cryptographic Validation Program. A list of FIPS validated cryptographic modules can be found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm. The validated cryptographic modules only apply to the products and companies listed in the active validation list. | ||||||||
OVAL details tests the value of Ciphers setting in the /etc/ssh/sshd_config file failed because these items were missing:Object oval:ssg-obj_sshd_use_approved_ciphers:obj:1 of type textfilecontent54_object
State oval:ssg-state_sshd_use_approved_ciphers:ste:1 of type textfilecontent54_state
| |||||||||
Remediation Shell script: (show) | |||||||||
Remediation Ansible snippet: (show)
| |||||||||
Disable Host-Based Authentication
| Rule ID | xccdf_org.ssgproject.content_rule_disable_host_auth | ||||||||||||||
| Result | pass | ||||||||||||||
| Time | 2021-02-16T19:41:09 | ||||||||||||||
| Severity | medium | ||||||||||||||
| Identifiers and References | Identifiers: CCE-27413-4 References: 5.2.7, 11, 12, 14, 15, 16, 18, 3, 5, 9, 5.5.6, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-3, AC-17, CM-6(b), PR.AC-4, PR.AC-6, PR.IP-1, PR.PT-3, FIA_AFL.1, SRG-OS-000480-GPOS-00229, RHEL-07-010470, SV-86583r3_rule, SRG-OS-000480-VMM-002000 | ||||||||||||||
| Description | SSH's cryptographic host-based authentication is
more secure than HostbasedAuthentication no | ||||||||||||||
| Rationale | SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. | ||||||||||||||
OVAL details tests the value of HostbasedAuthentication setting in the /etc/ssh/sshd_config file passed because these items were not found:Object oval:ssg-obj_disable_host_auth:obj:1 of type textfilecontent54_object
State oval:ssg-state_disable_host_auth:ste:1 of type textfilecontent54_state
tests the absence of HostbasedAuthentication setting in the /etc/ssh/sshd_config file passed because these items were not found:Object oval:ssg-obj_disable_host_auth_default_not_overriden:obj:1 of type textfilecontent54_object
| |||||||||||||||
Set SSH authentication attempt limit
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries | ||||||||
| Result | fail | ||||||||
| Time | 2021-02-16T19:41:09 | ||||||||
| Severity | medium | ||||||||
| Identifiers and References | Identifiers: CCE-82354-2 References: 5.2.5 | ||||||||
| Description | The MaxAuthTries tries | ||||||||
| Rationale | Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. | ||||||||
OVAL details maxauthtries is configured failed because these items were missing:Object oval:ssg-object_sshd_max_auth_tries:obj:1 of type textfilecontent54_object
State oval:ssg-state_maxauthtries_value_upper_bound:ste:1 of type textfilecontent54_state
| |||||||||
Disable SSH Root Login
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_root_login | ||||||||
| Result | fail | ||||||||
| Time | 2021-02-16T19:41:09 | ||||||||
| Severity | medium | ||||||||
| Identifiers and References | Identifiers: CCE-27445-6 References: NT28(R19), 5.2.8, 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.6, APO01.06, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.06, DSS06.10, 3.1.1, 3.1.5, CCI-000366, CCI-000770, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AC-3, AC-6(2), AC-17(b), IA-2, IA-2(5), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, PR.PT-3, FIA_AFL.1, SRG-OS-000480-GPOS-00227, SRG-OS-000109-GPOS-00056, RHEL-07-040370, SV-86871r3_rule, SRG-OS-000480-VMM-002000 | ||||||||
| Description | The root user should never be allowed to login to a
system directly over a network.
To disable root login via SSH, add or correct the following line
in PermitRootLogin no | ||||||||
| Rationale | Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password. | ||||||||
OVAL details tests the value of PermitRootLogin setting in the /etc/ssh/sshd_config file failed because these items were missing:Object oval:ssg-obj_sshd_disable_root_login:obj:1 of type textfilecontent54_object
State oval:ssg-state_sshd_disable_root_login:ste:1 of type textfilecontent54_state
| |||||||||
Remediation Shell script: (show)
| |||||||||
Remediation Ansible snippet: (show)
| |||||||||
Disable DHCP Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_dhcpd_disabled | ||||||||||||||||||
| Result | pass | ||||||||||||||||||
| Time | 2021-02-16T19:41:09 | ||||||||||||||||||
| Severity | medium | ||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80330-4 References: 2.2.5, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7, PR.IP-1, PR.PT-3 | ||||||||||||||||||
| Description | The $ sudo systemctl disable dhcpd.serviceThe dhcpd service can be masked with the following command:
$ sudo systemctl mask dhcpd.service | ||||||||||||||||||
| Rationale | Unmanaged or unintentionally activated DHCP servers may provide faulty information to clients, interfering with the operation of a legitimate site DHCP server if there is one. | ||||||||||||||||||
OVAL details Test that the dhcpd service is not running passed because these items were not found:Object oval:ssg-obj_service_not_running_dhcpd:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_not_running_dhcpd:ste:1 of type systemdunitproperty_state
Test that the property LoadState from the service dhcpd is masked passed because these items were not found:Object oval:ssg-obj_service_loadstate_is_masked_dhcpd:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_loadstate_is_masked_dhcpd:ste:1 of type systemdunitproperty_state
Test that the property FragmentPath from the service dhcpd is set to /dev/null passed because these items were not found:Object oval:ssg-obj_service_fragmentpath_is_dev_null_dhcpd:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_fragmentpath_is_dev_null_dhcpd:ste:1 of type systemdunitproperty_state
| |||||||||||||||||||
Disable Dovecot Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_dovecot_disabled | ||||||||||||||||||
| Result | pass | ||||||||||||||||||
| Time | 2021-02-16T19:41:09 | ||||||||||||||||||
| Severity | unknown | ||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80294-2 References: 2.2.11 | ||||||||||||||||||
| Description | The $ sudo systemctl disable dovecot.serviceThe dovecot service can be masked with the following command: $ sudo systemctl mask dovecot.service | ||||||||||||||||||
| Rationale | Running an IMAP or POP3 server provides a network-based avenue of attack, and should be disabled if not needed. | ||||||||||||||||||
OVAL details Test that the dovecot service is not running passed because these items were not found:Object oval:ssg-obj_service_not_running_dovecot:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_not_running_dovecot:ste:1 of type systemdunitproperty_state
Test that the property LoadState from the service dovecot is masked passed because these items were not found:Object oval:ssg-obj_service_loadstate_is_masked_dovecot:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_loadstate_is_masked_dovecot:ste:1 of type systemdunitproperty_state
Test that the property FragmentPath from the service dovecot is set to /dev/null passed because these items were not found:Object oval:ssg-obj_service_fragmentpath_is_dev_null_dovecot:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_fragmentpath_is_dev_null_dovecot:ste:1 of type systemdunitproperty_state
| |||||||||||||||||||
Disable rpcbind Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_rpcbind_disabled | |||||||||||||||||||||||||||
| Result | fail | |||||||||||||||||||||||||||
| Time | 2021-02-16T19:41:09 | |||||||||||||||||||||||||||
| Severity | unknown | |||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80230-6 References: 2.2.7 | |||||||||||||||||||||||||||
| Description | The rpcbind utility maps RPC services to the ports on which they listen.
RPC processes notify rpcbind when they start, registering the ports they
are listening on and the RPC program numbers they expect to serve. The
rpcbind service redirects the client to the proper port number so it can
communicate with the requested service. If the system does not require RPC
(such as for NFS servers) then this service should be disabled.
The $ sudo systemctl disable rpcbind.serviceThe rpcbind service can be masked with the following command:
$ sudo systemctl mask rpcbind.service | |||||||||||||||||||||||||||
| Rationale | ||||||||||||||||||||||||||||
OVAL details Test that the rpcbind service is not running failed because of these items:
Test that the property LoadState from the service rpcbind is masked failed because of these items:
Test that the property FragmentPath from the service rpcbind is set to /dev/null failed because of these items:
| ||||||||||||||||||||||||||||
Remediation Shell script: (show)
| ||||||||||||||||||||||||||||
Remediation Ansible snippet: (show)
| ||||||||||||||||||||||||||||
Disable Network File System (nfs)
| Rule ID | xccdf_org.ssgproject.content_rule_service_nfs_disabled | ||||||||||||||||||
| Result | pass | ||||||||||||||||||
| Time | 2021-02-16T19:41:09 | ||||||||||||||||||
| Severity | unknown | ||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80237-1 References: 2.2.7, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-3, PR.AC-4, PR.AC-6, PR.PT-3 | ||||||||||||||||||
| Description | The Network File System (NFS) service allows remote hosts to mount
and interact with shared filesystems on the local system. If the local system
is not designated as a NFS server then this service should be disabled.
The $ sudo systemctl disable nfs.serviceThe nfs service can be masked with the following command:
$ sudo systemctl mask nfs.service | ||||||||||||||||||
| Rationale | Unnecessary services should be disabled to decrease the attack surface of the system. | ||||||||||||||||||
OVAL details Test that the nfs service is not running passed because these items were not found:Object oval:ssg-obj_service_not_running_nfs:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_not_running_nfs:ste:1 of type systemdunitproperty_state
Test that the property LoadState from the service nfs is masked passed because these items were not found:Object oval:ssg-obj_service_loadstate_is_masked_nfs:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_loadstate_is_masked_nfs:ste:1 of type systemdunitproperty_state
Test that the property FragmentPath from the service nfs is set to /dev/null passed because these items were not found:Object oval:ssg-obj_service_fragmentpath_is_dev_null_nfs:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_fragmentpath_is_dev_null_nfs:ste:1 of type systemdunitproperty_state
| |||||||||||||||||||
Disable the CUPS Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_cups_disabled | ||||||||||||||||||
| Result | pass | ||||||||||||||||||
| Time | 2021-02-16T19:41:09 | ||||||||||||||||||
| Severity | unknown | ||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80282-7 References: 2.2.4, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7, PR.IP-1, PR.PT-3 | ||||||||||||||||||
| Description | The $ sudo systemctl disable cups.serviceThe cups service can be masked with the following command: $ sudo systemctl mask cups.service | ||||||||||||||||||
| Rationale | Turn off unneeded services to reduce attack surface. | ||||||||||||||||||
OVAL details Test that the cups service is not running passed because these items were not found:Object oval:ssg-obj_service_not_running_cups:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_not_running_cups:ste:1 of type systemdunitproperty_state
Test that the property LoadState from the service cups is masked passed because these items were not found:Object oval:ssg-obj_service_loadstate_is_masked_cups:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_loadstate_is_masked_cups:ste:1 of type systemdunitproperty_state
Test that the property FragmentPath from the service cups is set to /dev/null passed because these items were not found:Object oval:ssg-obj_service_fragmentpath_is_dev_null_cups:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_fragmentpath_is_dev_null_cups:ste:1 of type systemdunitproperty_state
| |||||||||||||||||||
Disable Avahi Server Software
| Rule ID | xccdf_org.ssgproject.content_rule_service_avahi-daemon_disabled | ||||||||||||||||||
| Result | pass | ||||||||||||||||||
| Time | 2021-02-16T19:41:09 | ||||||||||||||||||
| Severity | unknown | ||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80338-7 References: 2.2.3, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7, PR.IP-1, PR.PT-3 | ||||||||||||||||||
| Description | The $ sudo systemctl disable avahi-daemon.serviceThe avahi-daemon service can be masked with the following command: $ sudo systemctl mask avahi-daemon.service | ||||||||||||||||||
| Rationale | Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Its functionality is convenient but is only appropriate if the local network can be trusted. | ||||||||||||||||||
OVAL details Test that the avahi-daemon service is not running passed because these items were not found:Object oval:ssg-obj_service_not_running_avahi-daemon:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_not_running_avahi-daemon:ste:1 of type systemdunitproperty_state
Test that the property LoadState from the service avahi-daemon is masked passed because these items were not found:Object oval:ssg-obj_service_loadstate_is_masked_avahi-daemon:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_loadstate_is_masked_avahi-daemon:ste:1 of type systemdunitproperty_state
Test that the property FragmentPath from the service avahi-daemon is set to /dev/null passed because these items were not found:Object oval:ssg-obj_service_fragmentpath_is_dev_null_avahi-daemon:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_fragmentpath_is_dev_null_avahi-daemon:ste:1 of type systemdunitproperty_state
| |||||||||||||||||||
Disable Squid
| Rule ID | xccdf_org.ssgproject.content_rule_service_squid_disabled | ||||||||||||||||||
| Result | pass | ||||||||||||||||||
| Time | 2021-02-16T19:41:10 | ||||||||||||||||||
| Severity | unknown | ||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80285-0 References: 2.2.13 | ||||||||||||||||||
| Description | The $ sudo systemctl disable squid.serviceThe squid service can be masked with the following command: $ sudo systemctl mask squid.service | ||||||||||||||||||
| Rationale | Running proxy server software provides a network-based avenue of attack, and should be removed if not needed. | ||||||||||||||||||
OVAL details Test that the squid service is not running passed because these items were not found:Object oval:ssg-obj_service_not_running_squid:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_not_running_squid:ste:1 of type systemdunitproperty_state
Test that the property LoadState from the service squid is masked passed because these items were not found:Object oval:ssg-obj_service_loadstate_is_masked_squid:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_loadstate_is_masked_squid:ste:1 of type systemdunitproperty_state
Test that the property FragmentPath from the service squid is set to /dev/null passed because these items were not found:Object oval:ssg-obj_service_fragmentpath_is_dev_null_squid:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_fragmentpath_is_dev_null_squid:ste:1 of type systemdunitproperty_state
| |||||||||||||||||||
Make sure that the dconf databases are up-to-date with regards to respective keyfiles
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date |
| Result | notapplicable |
| Time | 2021-02-16T19:41:10 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-81004-4 |
| Description | By default, DConf uses a binary database as a data backend. The system-level database is compiled from keyfiles in the /etc/dconf/db/ directory by the dconf updatecommand. |
| Rationale | Unlike text-based keyfiles, the binary database is impossible to check by OVAL. Therefore, in order to evaluate dconf configuration, both have to be true at the same time - configuration files have to be compliant, and the database needs to be more recent than those keyfiles, which gives confidence that it reflects them. |
Install AIDE
| Rule ID | xccdf_org.ssgproject.content_rule_package_aide_installed | ||||||
| Result | fail | ||||||
| Time | 2021-02-16T19:41:10 | ||||||
| Severity | medium | ||||||
| Identifiers and References | Identifiers: CCE-27096-7 References: NT28(R51), 1.3.1, 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-3(d), CM-3(e), CM-6(d), CM-6(3), SC-28, SI-7, DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5 | ||||||
| Description | The $ sudo yum install aide | ||||||
| Rationale | The AIDE package must be installed if it is to be available for integrity checking. | ||||||
OVAL details package aide is installed failed because these items were missing:Object oval:ssg-obj_package_aide_installed:obj:1 of type rpminfo_object
| |||||||
Remediation Shell script: (show)
| |||||||
Remediation Ansible snippet: (show)
| |||||||
Remediation Puppet snippet: (show)
| |||||||
Configure Periodic Execution of AIDE
| Rule ID | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking | ||||||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||||||
| Time | 2021-02-16T19:41:10 | ||||||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-26952-2 References: NT28(R51), 1.3.2, 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-3(d), CM-3(e), CM-3(5), CM-6(d), CM-6(3), SC-28, SI-7, DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, RHEL-07-020030, SV-86597r2_rule | ||||||||||||||||||||||||||||
| Description | At a minimum, AIDE should be configured to run a weekly scan.
To implement a daily execution of AIDE at 4:05am using cron, add the following line to 05 4 * * * root /usr/sbin/aide --checkTo implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
05 4 * * 0 root /usr/sbin/aide --checkAIDE can be executed periodically through other means; this is merely one example. The usage of cron's special time codes, such as @daily and
@weekly is acceptable. | ||||||||||||||||||||||||||||
| Rationale | By default, AIDE does not install itself for periodic execution. Periodically
running AIDE is necessary to reveal unexpected changes in installed files.
| ||||||||||||||||||||||||||||
OVAL details run aide with cron failed because these items were missing:Object oval:ssg-object_test_aide_periodic_cron_checking:obj:1 of type textfilecontent54_object
run aide with cron failed because these items were missing:Object oval:ssg-object_test_aide_crond_checking:obj:1 of type textfilecontent54_object
run aide with cron failed because these items were missing:Object oval:ssg-object_aide_var_cron_checking:obj:1 of type textfilecontent54_object
run aide with cron.(daily|weekly) failed because these items were missing:Object oval:ssg-object_aide_crontabs_checking:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||||||||
Disable Prelinking
| Rule ID | xccdf_org.ssgproject.content_rule_disable_prelink | ||||||
| Result | pass | ||||||
| Time | 2021-02-16T19:41:10 | ||||||
| Severity | medium | ||||||
| Identifiers and References | Identifiers: CCE-27078-5 References: 1.5.4, 11, 13, 14, 2, 3, 9, 5.10.1.3, APO01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS04.07, DSS05.03, DSS06.02, DSS06.06, 3.13.11, CCI-000803, CCI-002450, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.3, CM-6(d), CM-6(3), SC-13, SC-28, SI-7, IA-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, SRG-OS-000120-VMM-000600, SRG-OS-000478-VMM-001980, SRG-OS-000396-VMM-001590 | ||||||
| Description | The prelinking feature changes binaries in an attempt to decrease their startup
time. In order to disable it, change or add the following line inside the file
PRELINKING=noNext, run the following command to return binaries to a normal, non-prelinked state: $ sudo /usr/sbin/prelink -ua | ||||||
| Rationale | Because the prelinking feature changes binaries, it can interfere with the operation of certain software and/or modes such as AIDE, FIPS, etc. | ||||||
OVAL details Tests whether prelinking is disabled passed because these items were not found:Object oval:ssg-object_prelinking_disabled:obj:1 of type textfilecontent54_object
| |||||||
Ensure Software Patches Installed
| Rule ID | xccdf_org.ssgproject.content_rule_security_patches_up_to_date |
| Result | notchecked |
| Time | 2021-02-16T19:41:10 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-26895-3 References: NT28(R08), 1.8, 18, 20, 4, 5.10.4.1, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, CCI-000366, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, SI-2, SI-2(c), MA-1(b), ID.RA-1, PR.IP-12, FMT_MOF_EXT.1, Req-6.2, SRG-OS-000480-GPOS-00227, RHEL-07-020260, SV-86623r4_rule, SRG-OS-000480-VMM-002000 |
| Description | If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates: $ sudo yum updateIf the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from the Red Hat Network and installed using rpm.
NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy dictates. |
| Rationale | Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. |
Ensure Red Hat GPG Key Installed
| Rule ID | xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Result | pass | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Time | 2021-02-16T19:41:10 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Severity | high | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-26957-1 References: NT28(R15), 1.2.3, 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), CM-11(a), SI-7, MA-1(b), PR.DS-6, PR.DS-8, PR.IP-1, FAU_GEN.1.1.c, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description | To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG key must properly be installed. To install the Red Hat GPG key, run: $ sudo subscription-manager registerIf the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG key from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in /media/cdrom, use the following command as the root user to import
it into the keyring:
$ sudo rpm --import /media/cdrom/RPM-GPG-KEYAlternatively, the key may be pre-loaded during the RHEL installation. In such cases, the key can be installed by running the following command: sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Rationale | Changes to software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. The Red Hat GPG key is necessary to cryptographically verify packages are from Red Hat. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details Red Hat release key package is installed passed because of these items:
Red Hat auxiliary key package is installed passed because of these items:
CentOS7 key package is installed passed because of these items:
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Ensure gpgcheck Enabled In Main yum Configuration
| Rule ID | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated | ||||
| Result | pass | ||||
| Time | 2021-02-16T19:41:10 | ||||
| Severity | high | ||||
| Identifiers and References | Identifiers: CCE-26989-4 References: NT28(R15), 1.2.2, 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), CM-11, SI-7, MA-1(b), PR.DS-6, PR.DS-8, PR.IP-1, FAU_GEN.1.1.c, Req-6.2, SRG-OS-000366-GPOS-00153, RHEL-07-020050, SV-86601r2_rule, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650 | ||||
| Description | The gpgcheck=1 | ||||
| Rationale | Changes to any software components can have significant effects on the
overall security of the operating system. This requirement ensures the
software has not been tampered with and that it has been provided by a
trusted vendor.
| ||||
OVAL details check value of gpgcheck in /etc/yum.conf passed because of these items:
| |||||
Ensure /home Located On Separate Partition
| Rule ID | xccdf_org.ssgproject.content_rule_partition_for_home | ||
| Result | fail | ||
| Time | 2021-02-16T19:41:10 | ||
| Severity | low | ||
| Identifiers and References | Identifiers: CCE-80144-9 References: 1.1.13, 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, SC-32(1), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-07-021310, SV-86683r2_rule | ||
| Description | If user home directories will be stored locally, create a separate partition
for | ||
| Rationale | Ensuring that | ||
OVAL details /home on own partition failed because these items were missing:Object oval:ssg-object_mount_home_own_partition:obj:1 of type partition_object
| |||
Ensure /var/tmp Located On Separate Partition
| Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var_tmp | ||
| Result | fail | ||
| Time | 2021-02-16T19:41:10 | ||
| Severity | low | ||
| Identifiers and References | Identifiers: CCE-82353-4 | ||
| Description | The | ||
| Rationale | The | ||
OVAL details /var/tmp on own partition failed because these items were missing:Object oval:ssg-object_mount_var_tmp_own_partition:obj:1 of type partition_object
| |||
Ensure /tmp Located On Separate Partition
| Rule ID | xccdf_org.ssgproject.content_rule_partition_for_tmp | ||
| Result | fail | ||
| Time | 2021-02-16T19:41:10 | ||
| Severity | low | ||
| Identifiers and References | Identifiers: CCE-82053-0 References: NT28(R12), 1.1.2, 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, SC-32(1), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-07-021340, SV-86689r3_rule | ||
| Description | The | ||
| Rationale | The | ||
OVAL details /tmp on own partition failed because these items were missing:Object oval:ssg-object_mount_tmp_own_partition:obj:1 of type partition_object
| |||
Ensure /var Located On Separate Partition
| Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var | ||
| Result | fail | ||
| Time | 2021-02-16T19:41:10 | ||
| Severity | low | ||
| Identifiers and References | Identifiers: CCE-82014-2 References: 1.1.6, 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, SC-32(1), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-07-021320, SV-86685r2_rule, SRG-OS-000341-VMM-001220 | ||
| Description | The | ||
| Rationale | Ensuring that | ||
OVAL details /var on own partition failed because these items were missing:Object oval:ssg-object_mount_var_own_partition:obj:1 of type partition_object
| |||
Ensure /var/log/audit Located On Separate Partition
| Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var_log_audit | ||||||
| Result | fail | ||||||
| Time | 2021-02-16T19:41:10 | ||||||
| Severity | low | ||||||
| Identifiers and References | Identifiers: CCE-82035-7 References: 1.1.12, 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.2, SR 7.6, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.17.2.1, AU-4, AU-9, SC-32(1), PR.DS-4, PR.PT-1, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-07-021330, SV-86687r6_rule, SRG-OS-000341-VMM-001220 | ||||||
| Description | Audit logs are stored in the | ||||||
| Rationale | Placing | ||||||
OVAL details /var/log/audit on own partition failed because these items were missing:Object oval:ssg-object_mount_var_log_audit_own_partition:obj:1 of type partition_object
| |||||||
Remediation Anaconda snippet: (show)
| |||||||
Ensure /var/log Located On Separate Partition
| Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var_log | ||
| Result | fail | ||
| Time | 2021-02-16T19:41:10 | ||
| Severity | medium | ||
| Identifiers and References | Identifiers: CCE-82034-0 References: NT28(R12), NT28(R47), 1.1.11, 1, 12, 14, 15, 16, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, AU-9, SC-32, PR.PT-1, PR.PT-4 | ||
| Description | System logs are stored in the | ||
| Rationale | Placing | ||
OVAL details /var/log on own partition failed because these items were missing:Object oval:ssg-object_mount_var_log_own_partition:obj:1 of type partition_object
| |||
Ensure Logs Sent To Remote Host
| Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost | ||||||||||||||
| Result | fail | ||||||||||||||
| Time | 2021-02-16T19:41:10 | ||||||||||||||
| Severity | medium | ||||||||||||||
| Identifiers and References | Identifiers: CCE-27343-3 References: NT28(R7), NT28(R43), NT12(R5), 4.2.1.4, 1, 13, 14, 15, 16, 2, 3, 5, 6, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.04, DSS05.07, MEA02.01, CCI-000366, CCI-001348, CCI-000136, CCI-001851, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(6)(ii), 164.308(a)(8), 164.310(d)(2)(iii), 164.312(b), 164.314(a)(2)(i)(C), 164.314(a)(2)(iii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.17.2.1, AU-3(2), AU-4(1), AU-9, PR.DS-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000480-GPOS-00227, RHEL-07-031000, SV-86833r2_rule, SRG-OS-000032-VMM-000130 | ||||||||||||||
| Description | To configure rsyslog to send logs to a remote log server,
open *.* @loghost.example.com To use TCP for log message delivery: *.* @@loghost.example.com To use RELP for log message delivery: *.* :omrelp:loghost.example.com There must be a resolvable DNS CNAME or Alias record set to "logcollector" for logs to be sent correctly to the centralized logging utility. | ||||||||||||||
| Rationale | A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise. | ||||||||||||||
OVAL details Ensures system configured to export logs to remote host failed because these items were missing:Object oval:ssg-object_remote_loghost_rsyslog_conf:obj:1 of type textfilecontent54_object
Ensures system configured to export logs to remote host failed because these items were missing:Object oval:ssg-object_remote_loghost_rsyslog_d:obj:1 of type textfilecontent54_object
| |||||||||||||||
Remediation Shell script: (show) | |||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||
Ensure Logrotate Runs Periodically
| Rule ID | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | ||||||||||||||
| Result | fail | ||||||||||||||
| Time | 2021-02-16T19:41:10 | ||||||||||||||
| Severity | medium | ||||||||||||||
| Identifiers and References | Identifiers: CCE-80195-1 References: NT28(R43), NT12(R18), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, AU-9, PR.PT-1, Req-10.7 | ||||||||||||||
| Description | The # rotate log files frequency daily | ||||||||||||||
| Rationale | Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full. | ||||||||||||||
OVAL details Tests the presence of daily setting in /etc/logrotate.conf file failed because these items were missing:Object oval:ssg-object_logrotate_conf_daily_setting:obj:1 of type textfilecontent54_object
Tests the existence of /etc/cron.daily/logrotate file (and verify it actually calls logrotate utility) failed because of these items:
| |||||||||||||||
Remediation Shell script: (show) | |||||||||||||||
Enable rsyslog Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_rsyslog_enabled | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Result | pass | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Time | 2021-02-16T19:41:10 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80188-6 References: NT28(R5), NT28(R46), 4.2.1.1, 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, 164.312(a)(2)(ii), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, AU-4(1), AU-12, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description | The $ sudo systemctl enable rsyslog.service | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Rationale | The | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details Test that the rsyslog service is running passed because of these items:
systemd test passed because of these items:
systemd test passed because of these items:
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Ensure rsyslog is Installed
| Rule ID | xccdf_org.ssgproject.content_rule_package_rsyslog_installed | ||||||||||||||||
| Result | pass | ||||||||||||||||
| Time | 2021-02-16T19:41:10 | ||||||||||||||||
| Severity | medium | ||||||||||||||||
| Identifiers and References | Identifiers: CCE-80187-8 References: NT28(R5), NT28(R46), 4.2.3, 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, AU-9(2), PR.PT-1 | ||||||||||||||||
| Description | Rsyslog is installed by default. The $ sudo yum install rsyslog | ||||||||||||||||
| Rationale | The rsyslog package provides the rsyslog daemon, which provides system logging services. | ||||||||||||||||
OVAL details package rsyslog is installed passed because of these items:
| |||||||||||||||||
Disable Accepting ICMP Redirects for All IPv6 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects | ||||||||
| Result | fail | ||||||||
| Time | 2021-02-16T19:41:10 | ||||||||
| Severity | medium | ||||||||
| Identifiers and References | Identifiers: CCE-80182-9 References: NT28(R22), 3.3.2, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7, PR.IP-1, PR.PT-3 | ||||||||
| Description | To set the runtime status of the $ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_redirects = 0 | ||||||||
| Rationale | An illicit ICMP redirect message could result in a man-in-the-middle attack. | ||||||||
Remediation Shell script: (show)
| |||||||||
Remediation Ansible snippet: (show)
| |||||||||
Disable Accepting Router Advertisements on all IPv6 Interfaces by Default
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra | ||||||||
| Result | fail | ||||||||
| Time | 2021-02-16T19:41:10 | ||||||||
| Severity | unknown | ||||||||
| Identifiers and References | Identifiers: CCE-80181-1 References: 3.3.1, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7, PR.IP-1, PR.PT-3 | ||||||||
| Description | To set the runtime status of the $ sudo sysctl -w net.ipv6.conf.default.accept_ra=0If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_ra = 0 | ||||||||
| Rationale | An illicit router advertisement message could result in a man-in-the-middle attack. | ||||||||
Remediation Shell script: (show)
| |||||||||
Remediation Ansible snippet: (show)
| |||||||||
Configure Accepting Router Advertisements on All IPv6 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra | ||||||||
| Result | fail | ||||||||
| Time | 2021-02-16T19:41:10 | ||||||||
| Severity | unknown | ||||||||
| Identifiers and References | Identifiers: CCE-80180-3 References: 3.3.1, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7, PR.IP-1, PR.PT-3 | ||||||||
| Description | To set the runtime status of the $ sudo sysctl -w net.ipv6.conf.all.accept_ra=0If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_ra = 0 | ||||||||
| Rationale | An illicit router advertisement message could result in a man-in-the-middle attack. | ||||||||
Remediation Shell script: (show)
| |||||||||
Remediation Ansible snippet: (show)
| |||||||||
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects | ||||||||
| Result | fail | ||||||||
| Time | 2021-02-16T19:41:10 | ||||||||
| Severity | medium | ||||||||
| Identifiers and References | Identifiers: CCE-80183-7 References: NT28(R22), 3.3.2, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7, PR.IP-1, PR.PT-3 | ||||||||
| Description | To set the runtime status of the $ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_redirects = 0 | ||||||||
| Rationale | An illicit ICMP redirect message could result in a man-in-the-middle attack. | ||||||||
Remediation Shell script: (show)
| |||||||||
Remediation Ansible snippet: (show)
| |||||||||
Disable IPv6 Networking Support Automatic Loading
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6 | ||||||||
| Result | fail | ||||||||
| Time | 2021-02-16T19:41:10 | ||||||||
| Severity | medium | ||||||||
| Identifiers and References | Identifiers: CCE-80175-3 References: 3.3.3, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7, PR.IP-1, PR.PT-3 | ||||||||
| Description | To disable support for ( net.ipv6.conf.all.disable_ipv6 = 1This disables IPv6 on all network interfaces as other services and system functionality require the IPv6 stack loaded to work. | ||||||||
| Rationale | Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the vulnerability to exploitation. | ||||||||
Remediation Shell script: (show)
| |||||||||
Remediation Ansible snippet: (show)
| |||||||||
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route |
| Result | pass |
| Time | 2021-02-16T19:41:10 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80162-1 References: NT28(R22), 3.2.1, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-4, CM-7, SC-5, SC-7, DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-07-040620, SV-86909r2_rule |
| Description | To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_source_route = 0 |
| Rationale | Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router,
which can be used to bypass network security measures.
|
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts | ||||||||
| Result | fail | ||||||||
| Time | 2021-02-16T19:41:10 | ||||||||
| Severity | medium | ||||||||
| Identifiers and References | Identifiers: CCE-80165-4 References: 3.2.5, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-4, CM-7, SC-5, DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-07-040630, SV-86911r2_rule | ||||||||
| Description | To set the runtime status of the $ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_echo_ignore_broadcasts = 1 | ||||||||
| Rationale | Responding to broadcast (ICMP) echoes facilitates network mapping
and provides a vector for amplification attacks.
| ||||||||
Remediation Shell script: (show)
| |||||||||
Remediation Ansible snippet: (show)
| |||||||||
Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians | ||||||||
| Result | fail | ||||||||
| Time | 2021-02-16T19:41:10 | ||||||||
| Severity | unknown | ||||||||
| Identifiers and References | Identifiers: CCE-80161-3 References: 3.2.4, 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.04, DSS03.05, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.06, 3.1.20, CCI-000126, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.11.2.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.2.1, A.6.2.2, A.9.1.2, AC-17(7), CM-7, SC-5(3), DE.CM-1, PR.AC-3, PR.DS-4, PR.IP-1, PR.PT-3, PR.PT-4 | ||||||||
| Description | To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.default.log_martians=1If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.log_martians = 1 | ||||||||
| Rationale | The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected. | ||||||||
Remediation Shell script: (show)
| |||||||||
Remediation Ansible snippet: (show)
| |||||||||
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter |
| Result | pass |
| Time | 2021-02-16T19:41:10 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80168-8 References: NT28(R22), 3.2.7, 1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-4, SC-5, SC-7, DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4 |
| Description | To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.default.rp_filter=1If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.rp_filter = 1 |
| Rationale | Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. |
Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects | ||||||||
| Result | fail | ||||||||
| Time | 2021-02-16T19:41:11 | ||||||||
| Severity | medium | ||||||||
| Identifiers and References | Identifiers: CCE-80159-7 References: NT28(R22), 3.2.3, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-001503, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-4, CM-7, SC-5, DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4 | ||||||||
| Description | To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.secure_redirects = 0 | ||||||||
| Rationale | Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. | ||||||||
Remediation Shell script: (show)
| |||||||||
Remediation Ansible snippet: (show)
| |||||||||
Configure Kernel Parameter for Accepting Secure Redirects By Default
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects | ||||||||
| Result | fail | ||||||||
| Time | 2021-02-16T19:41:11 | ||||||||
| Severity | medium | ||||||||
| Identifiers and References | Identifiers: CCE-80164-7 References: NT28(R22), 3.2.3, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-4, CM-7, SC-5, SC-7, DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4 | ||||||||
| Description | To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.default.secure_redirects=0If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.secure_redirects = 0 | ||||||||
| Rationale | Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. | ||||||||
Remediation Shell script: (show)
| |||||||||
Remediation Ansible snippet: (show)
| |||||||||
Disable Accepting ICMP Redirects for All IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects | ||||||||
| Result | fail | ||||||||
| Time | 2021-02-16T19:41:11 | ||||||||
| Severity | medium | ||||||||
| Identifiers and References | Identifiers: CCE-80158-9 References: NT28(R22), 3.2.2, 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, 5.10.1.1, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, 3.1.20, CCI-000366, CCI-001503, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CM-6(d), CM-7, SC-5, DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-07-040641, SV-87827r4_rule | ||||||||
| Description | To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.accept_redirects = 0 | ||||||||
| Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages modify the
host's route table and are unauthenticated. An illicit ICMP redirect
message could result in a man-in-the-middle attack.
| ||||||||
Remediation Shell script: (show)
| |||||||||
Remediation Ansible snippet: (show)
| |||||||||
Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians | ||||||||
| Result | fail | ||||||||
| Time | 2021-02-16T19:41:11 | ||||||||
| Severity | unknown | ||||||||
| Identifiers and References | Identifiers: CCE-80160-5 References: NT28(R22), 3.2.4, 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.04, DSS03.05, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.06, 3.1.20, CCI-000126, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.11.2.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.2.1, A.6.2.2, A.9.1.2, AC-17(7), CM-7, SC-5(3), DE.CM-1, PR.AC-3, PR.DS-4, PR.IP-1, PR.PT-3, PR.PT-4 | ||||||||
| Description | To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.all.log_martians=1If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.log_martians = 1 | ||||||||
| Rationale | The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected. | ||||||||
Remediation Shell script: (show)
| |||||||||
Remediation Ansible snippet: (show)
| |||||||||
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter |
| Result | pass |
| Time | 2021-02-16T19:41:11 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80167-0 References: NT28(R22), 3.2.7, 1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-001551, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-4, SC-5, SC-7, DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4 |
| Description | To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.rp_filter = 1 |
| Rationale | Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. |
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses | ||||||||
| Result | fail | ||||||||
| Time | 2021-02-16T19:41:11 | ||||||||
| Severity | unknown | ||||||||
| Identifiers and References | Identifiers: CCE-80166-2 References: NT28(R22), 3.2.6, 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, 3.1.20, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CM-7, SC-5, DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3 | ||||||||
| Description | To set the runtime status of the $ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_ignore_bogus_error_responses = 1 | ||||||||
| Rationale | Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged. | ||||||||
Remediation Shell script: (show)
| |||||||||
Remediation Ansible snippet: (show)
| |||||||||
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route |
| Result | pass |
| Time | 2021-02-16T19:41:11 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-27434-0 References: NT28(R22), 3.2.1, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-4, CM-7, SC-5, DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-07-040610, SV-86907r2_rule |
| Description | To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.accept_source_route = 0 |
| Rationale | Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router,
which can be used to bypass network security measures. This requirement
applies only to the forwarding of source-routerd traffic, such as when IPv4
forwarding is enabled and the system is functioning as a router.
|
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects | ||||||||
| Result | fail | ||||||||
| Time | 2021-02-16T19:41:11 | ||||||||
| Severity | medium | ||||||||
| Identifiers and References | Identifiers: CCE-80163-9 References: NT28(R22), 3.2.2, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-4, CM-7, SC-5, SC-7, DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-07-040640, SV-86913r3_rule | ||||||||
| Description | To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_redirects = 0 | ||||||||
| Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages modify the
host's route table and are unauthenticated. An illicit ICMP redirect
message could result in a man-in-the-middle attack.
| ||||||||
Remediation Shell script: (show)
| |||||||||
Remediation Ansible snippet: (show)
| |||||||||
Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward | ||||||||
| Result | fail | ||||||||
| Time | 2021-02-16T19:41:11 | ||||||||
| Severity | medium | ||||||||
| Identifiers and References | Identifiers: CCE-80157-1 References: NT28(R22), 3.1.1, 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, 3.1.20, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CM-7, SC-5, SC-32, DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-07-040740, SV-86933r2_rule | ||||||||
| Description | To set the runtime status of the $ sudo sysctl -w net.ipv4.ip_forward=0If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.ip_forward = 0 | ||||||||
| Rationale | Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network. | ||||||||
Remediation Shell script: (show)
| |||||||||
Remediation Ansible snippet: (show)
| |||||||||
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects | ||||||||
| Result | fail | ||||||||
| Time | 2021-02-16T19:41:11 | ||||||||
| Severity | medium | ||||||||
| Identifiers and References | Identifiers: CCE-80156-3 References: NT28(R22), 3.1.2, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-4, CM-7, SC-5(1), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-07-040660, SV-86917r3_rule | ||||||||
| Description | To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.all.send_redirects=0If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.send_redirects = 0 | ||||||||
| Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages contain information
from the system's route table possibly revealing portions of the network topology.
| ||||||||
Remediation Shell script: (show)
| |||||||||
Remediation Ansible snippet: (show)
| |||||||||
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects | ||||||||
| Result | fail | ||||||||
| Time | 2021-02-16T19:41:11 | ||||||||
| Severity | medium | ||||||||
| Identifiers and References | Identifiers: CCE-80999-6 References: NT28(R22), 3.1.2, 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-4, CM-7, SC-5, SC-7, DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-07-040650, SV-86915r4_rule | ||||||||
| Description | To set the runtime status of the $ sudo sysctl -w net.ipv4.conf.default.send_redirects=0If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.send_redirects = 0 | ||||||||
| Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages contain information
from the system's route table possibly revealing portions of the network topology.
| ||||||||
Remediation Shell script: (show)
| |||||||||
Remediation Ansible snippet: (show)
| |||||||||
Disable DCCP Support
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Time | 2021-02-16T19:41:11 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-82024-1 References: 3.5.1, 11, 14, 3, 9, 5.10.1, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.4.6, CCI-001958, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7, PR.IP-1, PR.PT-3, RHEL-07-020101, SV-92517r2_rule | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description | The Datagram Congestion Control Protocol (DCCP) is a
relatively new transport layer protocol, designed to support
streaming media and telephony.
To configure the system to prevent the install dccp /bin/true | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Rationale | Disabling DCCP protects the system against exploitation of any flaws in its implementation. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details kernel module dccp disabled failed because these items were missing:Object oval:ssg-obj_kernmod_dccp_disabled:obj:1 of type textfilecontent54_object
kernel module dccp disabled in /etc/modprobe.conf failed because these items were missing:Object oval:ssg-obj_kernmod_dccp_modprobeconf:obj:1 of type textfilecontent54_object
kernel module dccp disabled in /etc/modules-load.d failed because these items were missing:Object oval:ssg-obj_kernmod_dccp_etcmodules-load:obj:1 of type textfilecontent54_object
kernel module dccp disabled in /run/modules-load.d failed because these items were missing:Object oval:ssg-obj_kernmod_dccp_runmodules-load:obj:1 of type textfilecontent54_object
kernel module dccp disabled in /usr/lib/modules-load.d failed because these items were missing:Object oval:ssg-obj_kernmod_dccp_libmodules-load:obj:1 of type textfilecontent54_object
kernel module dccp disabled in /run/modprobe.d failed because these items were missing:Object oval:ssg-obj_kernmod_dccp_runmodprobed:obj:1 of type textfilecontent54_object
kernel module dccp disabled in /usr/lib/modprobe.d failed because these items were missing:Object oval:ssg-obj_kernmod_dccp_libmodprobed:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Shell script: (show)
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||
Disable SCTP Support
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Time | 2021-02-16T19:41:11 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-82044-9 References: 3.5.2, 11, 14, 3, 9, 5.10.1, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.4.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7, PR.IP-1, PR.PT-3 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description | The Stream Control Transmission Protocol (SCTP) is a
transport layer protocol, designed to support the idea of
message-oriented communication, with several streams of messages
within one connection.
To configure the system to prevent the install sctp /bin/true | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Rationale | Disabling SCTP protects the system against exploitation of any flaws in its implementation. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details kernel module sctp disabled failed because these items were missing:Object oval:ssg-obj_kernmod_sctp_disabled:obj:1 of type textfilecontent54_object
kernel module sctp disabled in /etc/modprobe.conf failed because these items were missing:Object oval:ssg-obj_kernmod_sctp_modprobeconf:obj:1 of type textfilecontent54_object
kernel module sctp disabled in /etc/modules-load.d failed because these items were missing:Object oval:ssg-obj_kernmod_sctp_etcmodules-load:obj:1 of type textfilecontent54_object
kernel module sctp disabled in /run/modules-load.d failed because these items were missing:Object oval:ssg-obj_kernmod_sctp_runmodules-load:obj:1 of type textfilecontent54_object
kernel module sctp disabled in /usr/lib/modules-load.d failed because these items were missing:Object oval:ssg-obj_kernmod_sctp_libmodules-load:obj:1 of type textfilecontent54_object
kernel module sctp disabled in /run/modprobe.d failed because these items were missing:Object oval:ssg-obj_kernmod_sctp_runmodprobed:obj:1 of type textfilecontent54_object
kernel module sctp disabled in /usr/lib/modprobe.d failed because these items were missing:Object oval:ssg-obj_kernmod_sctp_libmodprobed:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Shell script: (show)
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||
Set Boot Loader Password in grub2
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_password | ||||||||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||||||||
| Time | 2021-02-16T19:41:11 | ||||||||||||||||||||||||||||||
| Severity | high | ||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-27309-4 References: NT28(R17), 1.4.2, 1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-2, IA-2(1), IA-5(e), AC-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, FIA_AFL.1, SRG-OS-000080-GPOS-00048, RHEL-07-010480, SV-86585r6_rule | ||||||||||||||||||||||||||||||
| Description | The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
$ grub2-setpasswordWhen prompted, enter the password that was selected. NOTE: It is recommended not to use common administrator account names like root, admin, or administrator for the grub2 superuser account. Change the superuser to a different username (The default is 'root'). $ sed -i s/root/bootuser/g /etc/grub.d/01_users To meet FISMA Moderate, the bootloader superuser account and password MUST differ from the root account and password. Once the superuser account and password have been added, update the grub.cfg file by running:
grub2-mkconfig -o /boot/grub2/grub.cfgNOTE: Do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file. | ||||||||||||||||||||||||||||||
| Rationale | Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. For more information on how to configure the grub2 superuser account and password, please refer to | ||||||||||||||||||||||||||||||
| Warnings | warning
To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation
must be automated as a component of machine provisioning, or followed manually as outlined above. | ||||||||||||||||||||||||||||||
OVAL details /boot/grub2/grub.cfg does not exist failed because of these items:
make sure a password is defined in /boot/grub2/user.cfg failed because these items were missing:Object oval:ssg-object_grub2_password_usercfg:obj:1 of type textfilecontent54_object
make sure a password is defined in /boot/grub2/grub.cfg failed because these items were missing:Object oval:ssg-object_grub2_password_grubcfg:obj:1 of type textfilecontent54_object
superuser is defined in /boot/grub2/grub.cfg files. Superuser is not root, admin, or administrator failed because these items were missing:Object oval:ssg-object_bootloader_superuser:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||||||||
Verify /boot/grub2/grub.cfg User Ownership
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg | ||||||||||||
| Result | pass | ||||||||||||
| Time | 2021-02-16T19:41:11 | ||||||||||||
| Severity | medium | ||||||||||||
| Identifiers and References | Identifiers: CCE-82026-6 References: 1.4.1, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000225, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-6(7), PR.AC-4, PR.DS-5, Req-7.1 | ||||||||||||
| Description | The file $ sudo chown root /boot/grub2/grub.cfg | ||||||||||||
| Rationale | Only root should be able to modify important boot parameters. | ||||||||||||
OVAL details Testing user ownership of /boot/grub2/grub.cfg passed because of these items:
| |||||||||||||
Verify /boot/grub2/grub.cfg Group Ownership
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg | ||||||||||||
| Result | pass | ||||||||||||
| Time | 2021-02-16T19:41:11 | ||||||||||||
| Severity | medium | ||||||||||||
| Identifiers and References | Identifiers: CCE-82023-3 References: 1.4.1, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000225, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-6(7), PR.AC-4, PR.DS-5, Req-7.1 | ||||||||||||
| Description | The file $ sudo chgrp root /boot/grub2/grub.cfg | ||||||||||||
| Rationale | The | ||||||||||||
OVAL details Verify group ownership of /boot/grub2/grub.cfg passed because of these items:
| |||||||||||||
Set the UEFI Boot Loader Password
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_uefi_password | ||||||||||||||||||||
| Result | pass | ||||||||||||||||||||
| Time | 2021-02-16T19:41:11 | ||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80354-4 References: NT28(R17), 1.4.2, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-3, PR.AC-4, PR.AC-6, PR.PT-3, FIA_AFL.1, SRG-OS-000080-GPOS-00048, RHEL-07-010490, SV-86587r4_rule | ||||||||||||||||||||
| Description | The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
$ grub2-setpasswordWhen prompted, enter the password that was selected. NOTE: It is recommended not to use common administrator account names like root, admin, or administrator for the grub2 superuser account. Change the superuser to a different username (The default is 'root'). $ sed -i s/root/bootuser/g /etc/grub.d/01_users To meet FISMA Moderate, the bootloader superuser account and password MUST differ from the root account and password. Once the superuser account and password have been added, update the grub.cfg file by running:
grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfgNOTE: Do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file. | ||||||||||||||||||||
| Rationale | Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. For more information on how to configure the grub2 superuser account and password, please refer to | ||||||||||||||||||||
| Warnings | warning
To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation
must be automated as a component of machine provisioning, or followed manually as outlined above. | ||||||||||||||||||||
OVAL details /boot/efi/EFI/redhat/grub.cfg does not exist passed because these items were not found:Object oval:ssg-object_bootloader_uefi_grub_cfg:obj:1 of type file_object
make sure a password is defined in /boot/efi/EFI/redhat/user.cfg passed because these items were not found:Object oval:ssg-object_grub2_uefi_password_usercfg:obj:1 of type textfilecontent54_object
make sure a password is defined in /boot/efi/EFI/redhat/grub.cfg passed because these items were not found:Object oval:ssg-object_grub2_uefi_password_grubcfg:obj:1 of type textfilecontent54_object
superuser is defined in /boot/efi/EFI/redhat/grub.cfg. Superuser is not root, admin, or administrator passed because these items were not found:Object oval:ssg-object_bootloader_uefi_superuser:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||
Uninstall mcstrans Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_mcstrans_removed | ||
| Result | pass | ||
| Time | 2021-02-16T19:41:11 | ||
| Severity | unknown | ||
| Identifiers and References | Identifiers: CCE-80445-0 References: 1.6.1.5 | ||
| Description | The $ sudo yum erase mcstrans | ||
| Rationale | Since this service is not used very often, disable it to reduce the amount of potentially vulnerable code running on the system. NOTE: This rule was added in support of the CIS RHEL6 v1.2.0 benchmark. Please note that Red Hat does not feel this rule is security relevant. | ||
OVAL details package mcstrans is removed passed because these items were not found:Object oval:ssg-obj_package_mcstrans_removed:obj:1 of type rpminfo_object
| |||
Ensure SELinux Not Disabled in /etc/default/grub
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_enable_selinux | ||||||||||||||||||||
| Result | pass | ||||||||||||||||||||
| Time | 2021-02-16T19:41:11 | ||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-26961-3 References: 1.6.1.1, 1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9, APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01, 3.1.2, 3.7.2, CCI-000022, CCI-000032, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-3, AC-3(3), AC-3(4), AC-4, AC-6, AU-9, SI-6(a), DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4, SRG-OS-000445-VMM-001780 | ||||||||||||||||||||
| Description | SELinux can be disabled at boot time by an argument in
| ||||||||||||||||||||
| Rationale | Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation. | ||||||||||||||||||||
OVAL details check value selinux|enforcing=0 in /etc/default/grub, fail if found passed because these items were not found:Object oval:ssg-object_selinux_default_grub:obj:1 of type textfilecontent54_object
check value selinux|enforcing=0 in /etc/grub2.cfg, fail if found passed because these items were not found:Object oval:ssg-object_selinux_grub2_cfg:obj:1 of type textfilecontent54_object
check value selinux|enforcing=0 in /etc/grub.d fail if found passed because these items were not found:Object oval:ssg-object_selinux_grub_dir:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||
Configure SELinux Policy
| Rule ID | xccdf_org.ssgproject.content_rule_selinux_policytype | ||||
| Result | pass | ||||
| Time | 2021-02-16T19:41:11 | ||||
| Severity | high | ||||
| Identifiers and References | Identifiers: CCE-27279-9 References: NT28(R66), 1.6.1.3, 1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9, APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01, 3.1.2, 3.7.2, CCI-002696, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-3, AC-3(3), AC-3(4), AC-4, AC-6, AU-9, SI-6(a), DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4, SRG-OS-000445-GPOS-00199, RHEL-07-020220, SV-86615r4_rule, SRG-OS-000445-VMM-001780 | ||||
| Description | The SELinux SELINUXTYPE=targetedOther policies, such as mls, provide additional security labeling
and greater confinement but are not compatible with many general-purpose
use cases. | ||||
| Rationale | Setting the SELinux policy to | ||||
OVAL details Tests the value of the ^[\s]*SELINUXTYPE[\s]*=[\s]*([^#]*) expression in the /etc/selinux/config file passed because of these items:
| |||||
Uninstall setroubleshoot Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_setroubleshoot_removed | ||||||||||||||||
| Result | fail | ||||||||||||||||
| Time | 2021-02-16T19:41:11 | ||||||||||||||||
| Severity | unknown | ||||||||||||||||
| Identifiers and References | Identifiers: CCE-80444-3 | ||||||||||||||||
| Description | The SETroubleshoot service notifies desktop users of SELinux
denials. The service provides information around configuration errors,
unauthorized intrusions, and other potential errors.
The $ sudo yum erase setroubleshoot | ||||||||||||||||
| Rationale | The SETroubleshoot service is an unnecessary daemon to have running on a server | ||||||||||||||||
OVAL details package setroubleshoot is removed failed because of these items:
| |||||||||||||||||
Remediation Shell script: (show)
| |||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||
Remediation Puppet snippet: (show)
| |||||||||||||||||
Remediation Anaconda snippet: (show)
| |||||||||||||||||
Ensure No Daemons are Unconfined by SELinux
| Rule ID | xccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons | ||||||||||
| Result | pass | ||||||||||
| Time | 2021-02-16T19:41:12 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers and References | Identifiers: CCE-27288-0 References: 1.6.1.6, 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, MEA02.01, 3.1.2, 3.1.5, 3.7.2, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-6, AU-9, CM-7, SC-39, PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, PR.PT-3 | ||||||||||
| Description | Daemons for which the SELinux policy does not contain rules will inherit the
context of the parent process. Because daemons are launched during
startup and descend from the $ sudo ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'
It should produce no output in a well-configured system. | ||||||||||
| Rationale | Daemons which run with the | ||||||||||
| Warnings | warning
Automatic remediation of this control is not available. Remediation
can be achieved by amending SELinux policy or stopping the unconfined
daemons as outlined above. | ||||||||||
OVAL details device_t in /dev passed because these items were not found:Object oval:ssg-object_selinux_confinement_of_daemons:obj:1 of type selinuxsecuritycontext_object
State oval:ssg-state_selinux_confinement_of_daemons:ste:1 of type selinuxsecuritycontext_state
| |||||||||||
Ensure SELinux State is Enforcing
| Rule ID | xccdf_org.ssgproject.content_rule_selinux_state | ||||||
| Result | fail | ||||||
| Time | 2021-02-16T19:41:12 | ||||||
| Severity | high | ||||||
| Identifiers and References | Identifiers: CCE-27334-2 References: NT28(R4), 1.6.1.2, 1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9, APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01, 3.1.2, 3.7.2, CCI-002165, CCI-002696, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-3, AC-3(3), AC-3(4), AC-4, AC-6, AU-9, SI-6(a), DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4, SRG-OS-000445-GPOS-00199, RHEL-07-020210, SV-86613r3_rule, SRG-OS-000445-VMM-001780 | ||||||
| Description | The SELinux state should be set to SELINUX=enforcing | ||||||
| Rationale | Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges. | ||||||
OVAL details /selinux/enforce is 1 failed because of these items:
| |||||||
Remediation Shell script: (show) | |||||||
Remediation Ansible snippet: (show)
| |||||||
Set Account Expiration Following Inactivity
| Rule ID | xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration | ||||||||
| Result | fail | ||||||||
| Time | 2021-02-16T19:41:12 | ||||||||
| Severity | medium | ||||||||
| Identifiers and References | Identifiers: CCE-27355-7 References: 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.6.2.1.1, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.6, CCI-000017, CCI-000795, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AC-2(2), AC-2(3), IA-4(e), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, Req-8.1.4, SRG-OS-000118-GPOS-00060, RHEL-07-010310, SV-86565r2_rule, SRG-OS-000003-VMM-000030, SRG-OS-000118-VMM-000590 | ||||||||
| Description | To specify the number of days after a password expires (which
signifies inactivity) until an account is permanently disabled, add or correct
the following lines in INACTIVE=30A value of 35 is recommended; however, this profile expects that the value is set to 30.
If a password is currently on the
verge of expiration, then 35 days remain until the account is automatically
disabled. However, if the password will not expire for another 60 days, then 95
days could elapse until the account would be automatically disabled. See the
useradd man page for more information. Determining the inactivity
timeout must be done with careful consideration of the length of a "normal"
period of inactivity for users in the particular environment. Setting
the timeout too low incurs support costs and also has the potential to impact
availability of the system to legitimate users. | ||||||||
| Rationale | Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials. | ||||||||
OVAL details the value INACTIVE parameter should be set appropriately in /etc/default/useradd failed because these items were missing:Object oval:ssg-object_etc_default_useradd_inactive:obj:1 of type textfilecontent54_object
State oval:ssg-state_etc_default_useradd_inactive:ste:1 of type textfilecontent54_state
| |||||||||
Remediation Shell script: (show) | |||||||||
Remediation Ansible snippet: (show)
| |||||||||
Direct root Logins Not Allowed
| Rule ID | xccdf_org.ssgproject.content_rule_no_direct_root_logins | ||||||||||
| Result | fail | ||||||||||
| Time | 2021-02-16T19:41:12 | ||||||||||
| Severity | medium | ||||||||||
| Identifiers and References | Identifiers: CCE-27294-8 References: NT28(R19), 5.5, 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.1, 3.1.6, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-2, IA-2(1), PR.AC-1, PR.AC-6, PR.AC-7 | ||||||||||
| Description | To further limit access to the $ sudo echo > /etc/securetty | ||||||||||
| Rationale | Disabling direct root logins ensures proper accountability and multifactor authentication to privileged accounts. Users will first login, then escalate to privileged (root) access via su / sudo. This is required for FISMA Low and FISMA Moderate systems. | ||||||||||
OVAL details no entries in /etc/securetty failed because these items were missing:Object oval:ssg-object_no_direct_root_logins:obj:1 of type textfilecontent54_object
/etc/securetty file exists failed because of these items:
| |||||||||||
Remediation Ansible snippet: (show)
| |||||||||||
Ensure that System Accounts Do Not Run a Shell Upon Login
| Rule ID | xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Time | 2021-02-16T19:41:12 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-82015-9 References: 5.4.2, 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS06.03, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AC-2, DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description | Some accounts are not associated with a human user of the system, and exist to
perform some administrative function. Should an attacker be able to log into
these accounts, they should not be granted access to a shell.
$ sudo usermod -s /sbin/nologin SYSACCT | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Rationale | Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Warnings | warning
Do not perform the steps in this section on the root account. Doing so might
cause the system to become inaccessible. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details SYS_UID_MIN not defined in /etc/login.defs failed because of these items:
SYS_UID_MAX not defined in /etc/login.defs failed because of these items:
<0, UID_MIN - 1> system UIDs having shell set failed because of these items:
SYS_UID_MIN not defined in /etc/login.defs failed because of these items:
SYS_UID_MAX not defined in /etc/login.defs failed because of these items:
<0, SYS_UID_MIN> system UIDs having shell set failed because of these items:
<SYS_UID_MIN, SYS_UID_MAX> system UIDS having shell set failed because of these items:
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Verify Only Root Has UID 0
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero | ||||||
| Result | pass | ||||||
| Time | 2021-02-16T19:41:12 | ||||||
| Severity | high | ||||||
| Identifiers and References | Identifiers: CCE-82054-8 References: 6.2.5, 1, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10, 3.1.1, 3.1.5, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AC-6, IA-2, IA-2(1), IA-4, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, SRG-OS-000480-GPOS-00227, RHEL-07-020310, SV-86629r2_rule | ||||||
| Description | If any account other than root has a UID of 0, this misconfiguration should
be investigated and the accounts other than root should be removed or have
their UID changed.
| ||||||
| Rationale | An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner. | ||||||
OVAL details test that there are no accounts with UID 0 except root in the /etc/passwd file passed because these items were not found:Object oval:ssg-object_accounts_no_uid_except_root:obj:1 of type textfilecontent54_object
| |||||||
Set Password Warning Age
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs | ||||
| Result | pass | ||||
| Time | 2021-02-16T19:41:12 | ||||
| Severity | medium | ||||
| Identifiers and References | Identifiers: CCE-82016-7 References: 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.8, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AC-2(2), IA-5(f), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7 | ||||
| Description | To specify how many days prior to password
expiration that a warning will be issued to users,
edit the file PASS_WARN_AGE 7The DoD requirement is 7. The profile requirement is 7. | ||||
| Rationale | Setting the password warning age enables users to make the change at a practical time. | ||||
OVAL details The value of PASS_WARN_AGE should be set appropriately in /etc/login.defs passed because of these items:
| |||||
Set Password Minimum Age
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs | ||||||
| Result | fail | ||||||
| Time | 2021-02-16T19:41:12 | ||||||
| Severity | medium | ||||||
| Identifiers and References | Identifiers: CCE-82036-5 References: 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.8, CCI-000198, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(d), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000075-GPOS-00043, RHEL-07-010230, SV-86549r2_rule | ||||||
| Description | To specify password minimum age for new accounts,
edit the file PASS_MIN_DAYS 7A value of 1 day is considered sufficient for many environments. The DoD requirement is 1. The profile requirement is 7. | ||||||
| Rationale | Enforcing a minimum password lifetime helps to prevent repeated password
changes to defeat the password reuse or history enforcement requirement. If
users are allowed to immediately and continually change their password,
then the password could be repeatedly changed in a short period of time to
defeat the organization's policy regarding password reuse.
| ||||||
OVAL details The value of PASS_MIN_DAYS should be set appropriately in /etc/login.defs failed because of these items:
| |||||||
Remediation Shell script: (show) | |||||||
Remediation Ansible snippet: (show)
| |||||||
Set Password Maximum Age
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs | ||||||
| Result | fail | ||||||
| Time | 2021-02-16T19:41:12 | ||||||
| Severity | medium | ||||||
| Identifiers and References | Identifiers: CCE-27051-2 References: 5.4.1.1, 1, 12, 15, 16, 5, 5.6.2.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.6, CCI-000199, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(g), IA-5(1)(d), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.4, SRG-OS-000076-GPOS-00044, RHEL-07-010250, SV-86553r2_rule | ||||||
| Description | To specify password maximum age for new accounts,
edit the file PASS_MAX_DAYS 90A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is 90. | ||||||
| Rationale | Any password, no matter how complex, can eventually be cracked. Therefore, passwords
need to be changed periodically. If the operating system does not limit the lifetime
of passwords and force users to change their passwords, there is the risk that the
operating system passwords could be compromised.
| ||||||
OVAL details The value of PASS_MAX_DAYS should be set appropriately in /etc/login.defs failed because of these items:
| |||||||
Remediation Shell script: (show) | |||||||
Remediation Ansible snippet: (show)
| |||||||
Set PAM's Password Hashing Algorithm
| Rule ID | xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth | ||||
| Result | pass | ||||
| Time | 2021-02-16T19:41:12 | ||||
| Severity | medium | ||||
| Identifiers and References | Identifiers: CCE-82043-1 References: 6.3.1, 1, 12, 15, 16, 5, 5.6.2.2, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.13.11, CCI-000196, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(b), IA-5(c), IA-5(1)(c), IA-7, PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.1, SRG-OS-000073-GPOS-00041, RHEL-07-010200, SV-86543r3_rule, SRG-OS-000480-VMM-002000 | ||||
| Description | The PAM system service can be configured to only store encrypted
representations of passwords. In password sufficient pam_unix.so sha512 other arguments... This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default. | ||||
| Rationale | Passwords need to be protected at all times, and encryption is the standard
method for protecting passwords. If passwords are not encrypted, they can
be plainly read (i.e., clear text) and easily compromised. Passwords that
are encrypted with a weak algorithm are no more protected than if they are
kepy in plain text.
| ||||
OVAL details check /etc/pam.d/system-auth for correct settings passed because of these items:
| |||||
Set Lockout Time for Failed Password Attempts
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time | ||||||||||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||||||||||
| Time | 2021-02-16T19:41:12 | ||||||||||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-26884-7 References: 5.3.2, 1, 12, 15, 16, 5.5.3, DSS05.04, DSS05.10, DSS06.10, 3.1.8, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-7(b), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.7, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, RHEL-07-010320, SV-86567r4_rule, SRG-OS-000329-VMM-001180 | ||||||||||||||||||||||||||||||||
| Description | To configure the system to lock out accounts after a number of incorrect login
attempts and require an administrator to unlock the account using
| ||||||||||||||||||||||||||||||||
| Rationale | Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations. | ||||||||||||||||||||||||||||||||
OVAL details check preauth maximum failed login attempts allowed in /etc/pam.d/system-auth failed because these items were missing:Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_system-auth:obj:1 of type textfilecontent54_object
State oval:ssg-state_accounts_passwords_pam_faillock_unlock_time_system-auth:ste:1 of type textfilecontent54_state
check authfail maximum failed login attempts allowed in /etc/pam.d/system-auth failed because these items were missing:Object oval:ssg-object_accounts_passwords_pam_faillock_authfail_unlock_time_system-auth:obj:1 of type textfilecontent54_object
State oval:ssg-state_accounts_passwords_pam_faillock_unlock_time_system-auth:ste:1 of type textfilecontent54_state
check authfail maximum failed login attempts allowed in /etc/pam.d/password-auth failed because these items were missing:Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_password-auth:obj:1 of type textfilecontent54_object
State oval:ssg-state_accounts_passwords_pam_faillock_unlock_time_password-auth:ste:1 of type textfilecontent54_state
check preauth maximum failed login attempts allowed in /etc/pam.d/password-auth failed because these items were missing:Object oval:ssg-object_accounts_passwords_pam_faillock_preauth_unlock_time_password-auth:obj:1 of type textfilecontent54_object
State oval:ssg-state_accounts_passwords_pam_faillock_unlock_time_password-auth:ste:1 of type textfilecontent54_state
| |||||||||||||||||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||||||||||||
Limit Password Reuse
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember | ||||||||||||||||
| Result | fail | ||||||||||||||||
| Time | 2021-02-16T19:41:12 | ||||||||||||||||
| Severity | medium | ||||||||||||||||
| Identifiers and References | Identifiers: CCE-82030-8 References: 5.3.3, 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.8, CCI-000200, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(e), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.5, SRG-OS-000077-GPOS-00045, RHEL-07-010270, SV-86557r3_rule, SRG-OS-000077-VMM-000440 | ||||||||||||||||
| Description | Do not allow users to reuse recent passwords. This can be
accomplished by using the
| ||||||||||||||||
| Rationale | Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. | ||||||||||||||||
OVAL details Test if remember attribute of pam_unix.so is set correctly in /etc/pam.d/system-auth failed because these items were missing:Object oval:ssg-object_accounts_password_pam_unix_remember:obj:1 of type textfilecontent54_object
State oval:ssg-state_accounts_password_pam_unix_remember:ste:1 of type textfilecontent54_state
Test if remember attribute of pam_pwhistory.so is set correctly in /etc/pam.d/system-auth failed because these items were missing:Object oval:ssg-object_accounts_password_pam_pwhistory_remember:obj:1 of type textfilecontent54_object
State oval:ssg-state_accounts_password_pam_unix_remember:ste:1 of type textfilecontent54_state
| |||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||
Set Deny For Failed Password Attempts
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Time | 2021-02-16T19:41:12 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-27350-8 References: 5.3.2, 1, 12, 15, 16, 5.5.3, DSS05.04, DSS05.10, DSS06.10, 3.1.8, CCI-002238, CCI-000044, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-7(a), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.6, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, RHEL-07-010320, SV-86567r4_rule, SRG-OS-000021-VMM-000050 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description | To configure the system to lock out accounts after a number of incorrect login
attempts using
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Rationale | Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details Check pam_faillock.so preauth silent present, with correct deny value, and is followed by pam_unix. failed because these items were missing:Object oval:ssg-object_accounts_passwords_pam_faillock_preauth_silent_system-auth:obj:1 of type textfilecontent54_object
State oval:ssg-state_var_accounts_passwords_pam_faillock_deny_value:ste:1 of type textfilecontent54_state
Check if pam_faillock.so is called in account phase before pam_unix failed because these items were missing:Object oval:ssg-object_accounts_passwords_pam_faillock_account_phase_system-auth:obj:1 of type textfilecontent54_object
Check pam_faillock.so preauth silent present in /etc/pam.d/password-auth, has correct deny value, and is followed by pam_unix failed because these items were missing:Object oval:ssg-object_accounts_passwords_pam_faillock_preauth_silent_password-auth:obj:1 of type textfilecontent54_object
State oval:ssg-state_var_accounts_passwords_pam_faillock_deny_value:ste:1 of type textfilecontent54_state
Check if pam_faillock_so is called in account phase before pam_unix. failed because these items were missing:Object oval:ssg-object_accounts_passwords_pam_faillock_account_phase_password-auth:obj:1 of type textfilecontent54_object
Checks if pam_faillock authfail is hit even if pam_unix skips lines by defaulting, and also authfail deny value failed because these items were missing:Object oval:ssg-object_accounts_passwords_pam_faillock_when_lines_skipped_system-auth:obj:1 of type textfilecontent54_object
State oval:ssg-state_var_accounts_passwords_pam_faillock_deny_value:ste:1 of type textfilecontent54_state
Check control values of pam_unix, that it is followed by pam_faillock.so authfail and deny value of pam_faillock.so authfail failed because these items were missing:Object oval:ssg-object_accounts_passwords_pam_faillock_authfail_deny_system-auth:obj:1 of type textfilecontent54_object
State oval:ssg-state_var_accounts_passwords_pam_faillock_deny_value:ste:1 of type textfilecontent54_state
Checks if pam_faillock authfail is hit even if pam_unix skips lines by defaulting, and also authfail deny value failed because these items were missing:Object oval:ssg-object_accounts_passwords_pam_faillock_when_lines_skipped_password-auth:obj:1 of type textfilecontent54_object
State oval:ssg-state_var_accounts_passwords_pam_faillock_deny_value:ste:1 of type textfilecontent54_state
Check pam_faillock authfail is present after pam_unix, check pam_unix has proper control values, and authfail deny value is correct. failed because these items were missing:Object oval:ssg-object_accounts_passwords_pam_faillock_authfail_deny_password-auth:obj:1 of type textfilecontent54_object
State oval:ssg-state_var_accounts_passwords_pam_faillock_deny_value:ste:1 of type textfilecontent54_state
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Ensure PAM Enforces Password Requirements - Minimum Length
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen | ||||||||
| Result | fail | ||||||||
| Time | 2021-02-16T19:41:12 | ||||||||
| Severity | medium | ||||||||
| Identifiers and References | Identifiers: CCE-27293-0 References: 6.3.2, 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000205, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(1)(a), PR.AC-1, PR.AC-6, PR.AC-7, FMT_MOF_EXT.1, Req-8.2.3, SRG-OS-000078-GPOS-00046, RHEL-07-010280, SV-86559r2_rule, SRG-OS-000072-VMM-000390, SRG-OS-000078-VMM-000450 | ||||||||
| Description | The pam_pwquality module's | ||||||||
| Rationale | The shorter the password, the lower the number of possible combinations
that need to be tested before the password is compromised.
| ||||||||
OVAL details check the configuration of /etc/security/pwquality.conf failed because these items were missing:Object oval:ssg-obj_password_pam_pwquality_minlen:obj:1 of type textfilecontent54_object
State oval:ssg-state_password_pam_minlen:ste:1 of type textfilecontent54_state
| |||||||||
Remediation Shell script: (show)
| |||||||||
Remediation Ansible snippet: (show)
| |||||||||
Ensure PAM Enforces Password Requirements - Minimum Digit Characters
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit | ||||||||
| Result | fail | ||||||||
| Time | 2021-02-16T19:41:12 | ||||||||
| Severity | medium | ||||||||
| Identifiers and References | Identifiers: CCE-27214-6 References: 6.3.2, 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000194, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(1)(a), IA-5(b), IA-5(c), 194, PR.AC-1, PR.AC-6, PR.AC-7, FMT_MOF_EXT.1, Req-8.2.3, SRG-OS-000071-GPOS-00039, RHEL-07-010140, SV-86531r3_rule, SRG-OS-000071-VMM-000380 | ||||||||
| Description | The pam_pwquality module's | ||||||||
| Rationale | Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
| ||||||||
OVAL details check the configuration of /etc/security/pwquality.conf failed because these items were missing:Object oval:ssg-obj_password_pam_pwquality_dcredit:obj:1 of type textfilecontent54_object
State oval:ssg-state_password_pam_dcredit:ste:1 of type textfilecontent54_state
| |||||||||
Remediation Shell script: (show)
| |||||||||
Remediation Ansible snippet: (show)
| |||||||||
Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit | ||||||||
| Result | fail | ||||||||
| Time | 2021-02-16T19:41:12 | ||||||||
| Severity | medium | ||||||||
| Identifiers and References | Identifiers: CCE-27345-8 References: 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000193, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(b), IA-5(c), IA-5(1)(a), PR.AC-1, PR.AC-6, PR.AC-7, FMT_MOF_EXT.1, Req-8.2.3, SRG-OS-000070-GPOS-00038, RHEL-07-010130, SV-86529r5_rule, SRG-OS-000070-VMM-000370 | ||||||||
| Description | The pam_pwquality module's | ||||||||
| Rationale | Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
| ||||||||
OVAL details check the configuration of /etc/security/pwquality.conf failed because these items were missing:Object oval:ssg-obj_password_pam_pwquality_lcredit:obj:1 of type textfilecontent54_object
State oval:ssg-state_password_pam_lcredit:ste:1 of type textfilecontent54_state
| |||||||||
Remediation Shell script: (show)
| |||||||||
Remediation Ansible snippet: (show)
| |||||||||
Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit | ||||||||
| Result | fail | ||||||||
| Time | 2021-02-16T19:41:12 | ||||||||
| Severity | medium | ||||||||
| Identifiers and References | Identifiers: CCE-27200-5 References: 6.3.2, 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000192, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(b), IA-5(c), IA-5(1)(a), PR.AC-1, PR.AC-6, PR.AC-7, FMT_MOF_EXT.1, Req-8.2.3, SRG-OS-000069-GPOS-00037, RHEL-07-010120, SV-86527r3_rule, SRG-OS-000069-VMM-000360 | ||||||||
| Description | The pam_pwquality module's | ||||||||
| Rationale | Use of a complex password helps to increase the time and resources reuiqred to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts
at guessing and brute-force attacks.
| ||||||||
OVAL details check the configuration of /etc/security/pwquality.conf failed because these items were missing:Object oval:ssg-obj_password_pam_pwquality_ucredit:obj:1 of type textfilecontent54_object
State oval:ssg-state_password_pam_ucredit:ste:1 of type textfilecontent54_state
| |||||||||
Remediation Shell script: (show)
| |||||||||
Remediation Ansible snippet: (show)
| |||||||||
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_retry | ||||
| Result | pass | ||||
| Time | 2021-02-16T19:41:12 | ||||
| Severity | medium | ||||
| Identifiers and References | Identifiers: CCE-27160-1 References: 6.3.2, 1, 11, 12, 15, 16, 3, 5, 9, 5.5.3, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(b), IA-5(c), PR.AC-1, PR.AC-6, PR.AC-7, PR.IP-1, FMT_MOF_EXT.1, SRG-OS-000480-GPOS-00225, RHEL-07-010119, SV-87811r4_rule | ||||
| Description | To configure the number of retry prompts that are permitted per-session:
Edit the | ||||
| Rationale | Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module. | ||||
OVAL details check the configuration of /etc/pam.d/system-auth passed because of these items:
| |||||
Require Authentication for Single User Mode
| Rule ID | xccdf_org.ssgproject.content_rule_require_singleuser_auth | ||||||||||||||||||||
| Result | pass | ||||||||||||||||||||
| Time | 2021-02-16T19:41:12 | ||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-27287-2 References: 1.4.3, 1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.1.1, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-2, IA-2(1), AC-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, FIA_AFL.1, SRG-OS-000080-GPOS-00048, RHEL-07-010481, SV-92519r2_rule | ||||||||||||||||||||
| Description | Single-user mode is intended as a system recovery
method, providing a single user root access to the system by
providing a boot option at startup. By default, no authentication
is performed if single-user mode is selected.
| ||||||||||||||||||||
| Rationale | This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password. | ||||||||||||||||||||
OVAL details Tests that /sbin/sulogin was not removed from the default systemd rescue.service to ensure that a password must be entered to access single user mode passed because of these items:
Tests that the systemd rescue.service is in the runlevel1.target passed because of these items:
look for runlevel1.target in /etc/systemd/system passed because these items were not found:Object oval:ssg-object_no_custom_runlevel1_target:obj:1 of type file_object
look for rescue.service in /etc/systemd/system passed because these items were not found:Object oval:ssg-object_no_custom_rescue_service:obj:1 of type file_object
| |||||||||||||||||||||
Ensure the Default Bash Umask is Set Correctly
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc | ||||||||||||||||||
| Result | fail | ||||||||||||||||||
| Time | 2021-02-16T19:41:12 | ||||||||||||||||||
| Severity | unknown | ||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80202-5 References: 5.4.4, 18, APO13.01, BAI03.01, BAI03.02, BAI03.03, CCI-000366, 4.3.4.3.3, A.14.1.1, A.14.2.1, A.14.2.5, A.6.1.5, SA-8, PR.IP-2 | ||||||||||||||||||
| Description | To ensure the default umask for users of the Bash shell is set properly,
add or correct the umask 027 | ||||||||||||||||||
| Rationale | The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. | ||||||||||||||||||
OVAL details Test the retrieved /etc/bashrc umask value(s) match the var_accounts_user_umask requirement failed because of these items:
| |||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||
Ensure the Default Umask is Set Correctly in /etc/profile
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile | ||||||||||||||||||
| Result | fail | ||||||||||||||||||
| Time | 2021-02-16T19:41:12 | ||||||||||||||||||
| Severity | unknown | ||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80204-1 References: NT28(R35), 5.4.4, 18, APO13.01, BAI03.01, BAI03.02, BAI03.03, CCI-000366, 4.3.4.3.3, A.14.1.1, A.14.2.1, A.14.2.5, A.6.1.5, SA-8, PR.IP-2 | ||||||||||||||||||
| Description | To ensure the default umask controlled by umask 027 | ||||||||||||||||||
| Rationale | The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. | ||||||||||||||||||
OVAL details Test the retrieved /etc/profile umask value(s) match the var_accounts_user_umask requirement failed because of these items:
| |||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||
Configure auditd Max Log File Size
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file | ||||
| Result | pass | ||||
| Time | 2021-02-16T19:41:12 | ||||
| Severity | medium | ||||
| Identifiers and References | Identifiers: CCE-27319-3 References: 5.2.1.1, 1, 11, 12, 13, 14, 15, 16, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, AU-1(b), AU-11, IR-5, DE.AE-3, DE.AE-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7 | ||||
| Description | Determine the amount of audit data (in megabytes)
which should be retained in each log file. Edit the file
max_log_file = STOREMBSet the value to 6 (MB) or higher for general-purpose systems.
Larger values, of course,
support retention of even more audit data. | ||||
| Rationale | The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained. | ||||
OVAL details max log file size passed because of these items:
| |||||
Configure auditd mail_acct Action on Low Disk Space
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct | ||||
| Result | pass | ||||
| Time | 2021-02-16T19:41:12 | ||||
| Severity | medium | ||||
| Identifiers and References | Identifiers: CCE-27394-6 References: 5.2.1.2, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 3.3.1, CCI-000139, CCI-001855, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-1(b), AU-4, AU-5(1), AU-5(a), IR-5, DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7.a, SRG-OS-000343-GPOS-00134, RHEL-07-030350, SV-86717r3_rule, SRG-OS-000046-VMM-000210, SRG-OS-000343-VMM-001240 | ||||
| Description | The action_mail_acct = root | ||||
| Rationale | Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action. | ||||
OVAL details email account for actions passed because of these items:
| |||||
Configure auditd admin_space_left Action on Low Disk Space
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action | ||||||
| Result | fail | ||||||
| Time | 2021-02-16T19:41:12 | ||||||
| Severity | medium | ||||||
| Identifiers and References | Identifiers: CCE-27370-6 References: 5.2.1.2, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 3.3.1, CCI-000140, CCI-001343, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-1(b), AU-4, AU-5(b), IR-5, DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7, RHEL-07-030340, SV-86715r2_rule | ||||||
| Description | The admin_space_left_action = ACTIONSet this value to single to cause the system to switch to single user
mode for corrective action. Acceptable values also include suspend and
halt. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. Details regarding all possible values for ACTION are described in the
auditd.conf man page. | ||||||
| Rationale | Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur. | ||||||
OVAL details space left action failed because of these items:
| |||||||
Remediation Shell script: (show) | |||||||
Remediation Ansible snippet: (show)
| |||||||
Configure auditd max_log_file_action Upon Reaching Maximum Log Size
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action | ||||
| Result | pass | ||||
| Time | 2021-02-16T19:41:12 | ||||
| Severity | medium | ||||
| Identifiers and References | Identifiers: CCE-27231-0 References: 5.2.1.3, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-1(b), AU-4, AU-11, IR-5, DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7 | ||||
| Description | The default action to take when the logs reach their maximum size
is to rotate the log files, discarding the oldest one. To configure the action taken
by max_log_file_action = ACTIONPossible values for ACTION are described in the auditd.conf man
page. These include:
ACTION to rotate to ensure log rotation
occurs. This is the default. The setting is case-insensitive. | ||||
| Rationale | Automatically rotating logs (by setting this to | ||||
OVAL details admin space left action passed because of these items:
| |||||
Ensure auditd Collects Information on Kernel Module Loading and Unloading
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading |
| Result | fail |
| Time | 2021-02-16T19:41:12 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-27129-6 References: 5.2.17, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000172, 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.2.7 |
| Description | To capture kernel module loading and unloading events, use following lines, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: -a always,exit -F arch=ARCH -S init_module,finit_module,delete_module -F key=modulesThe place to add the lines depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the lines to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl utility,
add the lines to file /etc/audit/audit.rules. |
| Rationale | The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. |
Remediation Shell script: (show) | |
Record Attempts to Alter Logon and Logout Events
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_login_events |
| Result | fail |
| Time | 2021-02-16T19:41:12 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-27204-7 References: 5.2.8, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000172, CCI-002884, 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(7), AU-1(b), AU-12(a), AU-12(c), IR-5, DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.2.3 |
| Description | The audit system already collects login information for all users
and root. If the -w /var/log/tallylog -p wa -k logins -w /var/run/faillock -p wa -k logins -w /var/log/lastlog -p wa -k loginsIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins -w /var/run/faillock -p wa -k logins -w /var/log/lastlog -p wa -k logins |
| Rationale | Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. |
| Warnings | warning
This rule checks for multiple syscalls related to login events;
it was written with DISA STIG in mind. Other policies should use a
separate rule for each syscall that needs to be checked. For example:
|
Remediation Shell script: (show) | |
Record Attempts to Alter Time Through stime
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_time_stime | ||||||||||||
| Result | fail | ||||||||||||
| Time | 2021-02-16T19:41:12 | ||||||||||||
| Severity | medium | ||||||||||||
| Identifiers and References | Identifiers: CCE-27299-7 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-001487, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.4.2.b | ||||||||||||
| Description | If the -a always,exit -F arch=b32 -S stime -F key=audit_time_rulesSince the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). If the auditd daemon is configured to use the auditctl utility to
read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file for both 32 bit and 64 bit systems:
-a always,exit -F arch=b32 -S stime -F key=audit_time_rulesSince the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined system calls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules | ||||||||||||
| Rationale | Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. | ||||||||||||
OVAL details audit augenrules 32-bit stime failed because these items were missing:Object oval:ssg-object_32bit_art_stime_augenrules:obj:1 of type textfilecontent54_object
audit auditctl 32-bit stime failed because these items were missing:Object oval:ssg-object_32bit_art_stime_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||
Remediation Shell script: (show) | |||||||||||||
Record attempts to alter time through settimeofday
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday | ||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||
| Time | 2021-02-16T19:41:12 | ||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-27216-1 References: 5.2.4, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-001487, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.4.2.b | ||||||||||||||||||||||||
| Description | If the -a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rulesIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rulesIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rulesIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rulesThe -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules | ||||||||||||||||||||||||
| Rationale | Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. | ||||||||||||||||||||||||
OVAL details audit augenrules 32-bit settimeofday failed because these items were missing:Object oval:ssg-object_32bit_art_settimeofday_augenrules:obj:1 of type textfilecontent54_object
audit augenrules 64-bit settimeofday failed because these items were missing:Object oval:ssg-object_64bit_art_settimeofday_augenrules:obj:1 of type textfilecontent54_object
audit auditctl 32-bit settimeofday failed because these items were missing:Object oval:ssg-object_32bit_art_settimeofday_auditctl:obj:1 of type textfilecontent54_object
audit auditctl 64-bit settimeofday failed because these items were missing:Object oval:ssg-object_64bit_art_settimeofday_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||||||||
Record Attempts to Alter the localtime File
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime | ||||||||||||
| Result | fail | ||||||||||||
| Time | 2021-02-16T19:41:12 | ||||||||||||
| Severity | medium | ||||||||||||
| Identifiers and References | Identifiers: CCE-27310-2 References: 5.2.4, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-001487, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(b), IR-5, DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.4.2.b | ||||||||||||
| Description | If the -w /etc/localtime -p wa -k audit_time_rulesIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-w /etc/localtime -p wa -k audit_time_rulesThe -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used. | ||||||||||||
| Rationale | Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. | ||||||||||||
OVAL details audit /etc/localtime watch augenrules failed because these items were missing:Object oval:ssg-object_artw_etc_localtime_augenrules:obj:1 of type textfilecontent54_object
audit /etc/localtime watch auditctl failed because these items were missing:Object oval:ssg-object_artw_etc_localtime_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||
Remediation Shell script: (show) | |||||||||||||
Record Attempts to Alter Time Through clock_settime
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime | ||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||
| Time | 2021-02-16T19:41:12 | ||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-27219-5 References: 5.2.4, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-001487, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.4.2.b | ||||||||||||||||||||||||
| Description | If the -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-changeIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-changeIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-changeIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-changeThe -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules | ||||||||||||||||||||||||
| Rationale | Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. | ||||||||||||||||||||||||
OVAL details audit augenrules 32-bit clock_settime failed because these items were missing:Object oval:ssg-object_32bit_art_clock_settime_augenrules:obj:1 of type textfilecontent54_object
audit augenrules 64-bit clock_settime failed because these items were missing:Object oval:ssg-object_64bit_art_clock_settime_augenrules:obj:1 of type textfilecontent54_object
audit auditctl 32-bit clock_settime failed because these items were missing:Object oval:ssg-object_32bit_art_clock_settime_auditctl:obj:1 of type textfilecontent54_object
audit auditctl 64-bit clock_settime failed because these items were missing:Object oval:ssg-object_64bit_art_clock_settime_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||||||||
Record attempts to alter time through adjtimex
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex | ||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||
| Time | 2021-02-16T19:41:12 | ||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-27290-6 References: 5.2.4, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-001487, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.4.2.b | ||||||||||||||||||||||||
| Description | If the -a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rulesIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rulesIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rulesIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rulesThe -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules | ||||||||||||||||||||||||
| Rationale | Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. | ||||||||||||||||||||||||
OVAL details audit augenrules 32-bit adjtimex failed because these items were missing:Object oval:ssg-object_32bit_art_adjtimex_augenrules:obj:1 of type textfilecontent54_object
audit augenrules 64-bit adjtimex failed because these items were missing:Object oval:ssg-object_64bit_art_adjtimex_augenrules:obj:1 of type textfilecontent54_object
audit auditctl 32-bit adjtimex failed because these items were missing:Object oval:ssg-object_32bit_art_adjtimex_auditctl:obj:1 of type textfilecontent54_object
audit auditctl 64-bit adjtimex failed because these items were missing:Object oval:ssg-object_64bit_art_adjtimex_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||||||||
Record Events that Modify the System's Discretionary Access Controls - fchown
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown | ||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||
| Time | 2021-02-16T19:41:12 | ||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-27356-5 References: 5.2.10, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000172, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, RHEL-07-030380, SV-86723r4_rule, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940 | ||||||||||||||||||||||||
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod | ||||||||||||||||||||||||
| Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | ||||||||||||||||||||||||
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. | ||||||||||||||||||||||||
OVAL details audit augenrules 32-bit fchown failed because these items were missing:Object oval:ssg-object_32bit_ardm_fchown_augenrules:obj:1 of type textfilecontent54_object
audit augenrules 64-bit fchown failed because these items were missing:Object oval:ssg-object_64bit_ardm_fchown_augenrules:obj:1 of type textfilecontent54_object
audit auditctl 32-bit fchown failed because these items were missing:Object oval:ssg-object_32bit_ardm_fchown_auditctl:obj:1 of type textfilecontent54_object
audit auditctl 64-bit fchown failed because these items were missing:Object oval:ssg-object_64bit_ardm_fchown_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||||
Record Events that Modify the System's Discretionary Access Controls - setxattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr | ||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||
| Time | 2021-02-16T19:41:12 | ||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-27213-8 References: 5.2.10, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000172, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, RHEL-07-030440, SV-86735r4_rule, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940 | ||||||||||||||||||||||||
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod | ||||||||||||||||||||||||
| Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | ||||||||||||||||||||||||
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. | ||||||||||||||||||||||||
OVAL details audit augenrules 32-bit setxattr failed because these items were missing:Object oval:ssg-object_32bit_ardm_setxattr_augenrules:obj:1 of type textfilecontent54_object
audit augenrules 64-bit setxattr failed because these items were missing:Object oval:ssg-object_64bit_ardm_setxattr_augenrules:obj:1 of type textfilecontent54_object
audit auditctl 32-bit setxattr failed because these items were missing:Object oval:ssg-object_32bit_ardm_setxattr_auditctl:obj:1 of type textfilecontent54_object
audit auditctl 64-bit setxattr failed because these items were missing:Object oval:ssg-object_64bit_ardm_setxattr_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||||
Record Events that Modify the System's Discretionary Access Controls - chown
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown | ||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||
| Time | 2021-02-16T19:41:12 | ||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-27364-9 References: 5.2.10, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000172, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, RHEL-07-030370, SV-86721r4_rule, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940 | ||||||||||||||||||||||||
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod | ||||||||||||||||||||||||
| Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | ||||||||||||||||||||||||
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. | ||||||||||||||||||||||||
OVAL details audit augenrules 32-bit chown failed because these items were missing:Object oval:ssg-object_32bit_ardm_chown_augenrules:obj:1 of type textfilecontent54_object
audit augenrules 64-bit chown failed because these items were missing:Object oval:ssg-object_64bit_ardm_chown_augenrules:obj:1 of type textfilecontent54_object
audit auditctl 32-bit chown failed because these items were missing:Object oval:ssg-object_32bit_ardm_chown_auditctl:obj:1 of type textfilecontent54_object
audit auditctl 64-bit chown failed because these items were missing:Object oval:ssg-object_64bit_ardm_chown_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||||
Record Events that Modify the System's Discretionary Access Controls - fchownat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat | ||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||
| Time | 2021-02-16T19:41:12 | ||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-27387-0 References: 5.2.10, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000172, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, RHEL-07-030400, SV-86727r4_rule, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940 | ||||||||||||||||||||||||
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod | ||||||||||||||||||||||||
| Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | ||||||||||||||||||||||||
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. | ||||||||||||||||||||||||
OVAL details audit augenrules 32-bit fchownat failed because these items were missing:Object oval:ssg-object_32bit_ardm_fchownat_augenrules:obj:1 of type textfilecontent54_object
audit augenrules 64-bit fchownat failed because these items were missing:Object oval:ssg-object_64bit_ardm_fchownat_augenrules:obj:1 of type textfilecontent54_object
audit auditctl 32-bit fchownat failed because these items were missing:Object oval:ssg-object_32bit_ardm_fchownat_auditctl:obj:1 of type textfilecontent54_object
audit auditctl 64-bit fchownat failed because these items were missing:Object oval:ssg-object_64bit_ardm_fchownat_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||||
Record Events that Modify the System's Discretionary Access Controls - chmod
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod | ||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||
| Time | 2021-02-16T19:41:12 | ||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-27339-1 References: 5.2.10, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000172, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, RHEL-07-030410, SV-86729r4_rule, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940 | ||||||||||||||||||||||||
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod | ||||||||||||||||||||||||
| Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | ||||||||||||||||||||||||
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. | ||||||||||||||||||||||||
OVAL details audit augenrules 32-bit chmod failed because these items were missing:Object oval:ssg-object_32bit_ardm_chmod_augenrules:obj:1 of type textfilecontent54_object
audit augenrules 64-bit chmod failed because these items were missing:Object oval:ssg-object_64bit_ardm_chmod_augenrules:obj:1 of type textfilecontent54_object
audit auditctl 32-bit chmod failed because these items were missing:Object oval:ssg-object_32bit_ardm_chmod_auditctl:obj:1 of type textfilecontent54_object
audit auditctl 64-bit chmod failed because these items were missing:Object oval:ssg-object_64bit_ardm_chmod_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||||
Record Events that Modify the System's Discretionary Access Controls - fchmodat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat | ||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||
| Time | 2021-02-16T19:41:12 | ||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-27388-8 References: 5.2.10, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000172, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, RHEL-07-030430, SV-86733r4_rule, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940 | ||||||||||||||||||||||||
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod | ||||||||||||||||||||||||
| Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | ||||||||||||||||||||||||
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. | ||||||||||||||||||||||||
OVAL details audit augenrules 32-bit fchmodat failed because these items were missing:Object oval:ssg-object_32bit_ardm_fchmodat_augenrules:obj:1 of type textfilecontent54_object
audit augenrules 64-bit fchmodat failed because these items were missing:Object oval:ssg-object_64bit_ardm_fchmodat_augenrules:obj:1 of type textfilecontent54_object
audit auditctl 32-bit fchmodat failed because these items were missing:Object oval:ssg-object_32bit_ardm_fchmodat_auditctl:obj:1 of type textfilecontent54_object
audit auditctl 64-bit fchmodat failed because these items were missing:Object oval:ssg-object_64bit_ardm_fchmodat_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||||
Record Events that Modify the System's Discretionary Access Controls - removexattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr | ||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||
| Time | 2021-02-16T19:41:12 | ||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-27367-2 References: 5.2.10, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000172, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, RHEL-07-030470, SV-86741r4_rule, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940 | ||||||||||||||||||||||||
| Description | At a minimum, the audit system should collect file permission
changes for all users and root.
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod | ||||||||||||||||||||||||
| Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | ||||||||||||||||||||||||
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. | ||||||||||||||||||||||||
OVAL details audit augenrules 32-bit removexattr failed because these items were missing:Object oval:ssg-object_32bit_ardm_removexattr_augenrules:obj:1 of type textfilecontent54_object
audit augenrules 64-bit removexattr failed because these items were missing:Object oval:ssg-object_64bit_ardm_removexattr_augenrules:obj:1 of type textfilecontent54_object
audit auditctl 32-bit removexattr failed because these items were missing:Object oval:ssg-object_32bit_ardm_removexattr_auditctl:obj:1 of type textfilecontent54_object
audit auditctl 64-bit removexattr failed because these items were missing:Object oval:ssg-object_64bit_ardm_removexattr_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||||
Record Events that Modify the System's Discretionary Access Controls - fremovexattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr | ||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||
| Time | 2021-02-16T19:41:12 | ||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-27353-2 References: 5.2.10, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000172, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, RHEL-07-030480, SV-86743r4_rule, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940 | ||||||||||||||||||||||||
| Description | At a minimum, the audit system should collect file permission
changes for all users and root.
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod | ||||||||||||||||||||||||
| Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | ||||||||||||||||||||||||
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. | ||||||||||||||||||||||||
OVAL details audit augenrules 32-bit fremovexattr failed because these items were missing:Object oval:ssg-object_32bit_ardm_fremovexattr_augenrules:obj:1 of type textfilecontent54_object
audit augenrules 64-bit fremovexattr failed because these items were missing:Object oval:ssg-object_64bit_ardm_fremovexattr_augenrules:obj:1 of type textfilecontent54_object
audit auditctl 32-bit fremovexattr failed because these items were missing:Object oval:ssg-object_32bit_ardm_fremovexattr_auditctl:obj:1 of type textfilecontent54_object
audit auditctl 64-bit fremovexattr failed because these items were missing:Object oval:ssg-object_64bit_ardm_fremovexattr_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||||
Record Events that Modify the System's Discretionary Access Controls - lsetxattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr | ||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||
| Time | 2021-02-16T19:41:12 | ||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-27280-7 References: 5.2.10, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000172, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, RHEL-07-030460, SV-86739r4_rule, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940 | ||||||||||||||||||||||||
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod | ||||||||||||||||||||||||
| Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | ||||||||||||||||||||||||
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. | ||||||||||||||||||||||||
OVAL details audit augenrules 32-bit lsetxattr failed because these items were missing:Object oval:ssg-object_32bit_ardm_lsetxattr_augenrules:obj:1 of type textfilecontent54_object
audit augenrules 64-bit lsetxattr failed because these items were missing:Object oval:ssg-object_64bit_ardm_lsetxattr_augenrules:obj:1 of type textfilecontent54_object
audit auditctl 32-bit lsetxattr failed because these items were missing:Object oval:ssg-object_32bit_ardm_lsetxattr_auditctl:obj:1 of type textfilecontent54_object
audit auditctl 64-bit lsetxattr failed because these items were missing:Object oval:ssg-object_64bit_ardm_lsetxattr_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||||
Record Events that Modify the System's Discretionary Access Controls - fchmod
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod | ||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||
| Time | 2021-02-16T19:41:12 | ||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-27393-8 References: 5.2.10, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000172, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, RHEL-07-030420, SV-86731r4_rule, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940 | ||||||||||||||||||||||||
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod | ||||||||||||||||||||||||
| Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | ||||||||||||||||||||||||
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. | ||||||||||||||||||||||||
OVAL details audit augenrules 32-bit fchmod failed because these items were missing:Object oval:ssg-object_32bit_ardm_fchmod_augenrules:obj:1 of type textfilecontent54_object
audit augenrules 64-bit fchmod failed because these items were missing:Object oval:ssg-object_64bit_ardm_fchmod_augenrules:obj:1 of type textfilecontent54_object
audit auditctl 32-bit fchmod failed because these items were missing:Object oval:ssg-object_32bit_ardm_fchmod_auditctl:obj:1 of type textfilecontent54_object
audit auditctl 64-bit fchmod failed because these items were missing:Object oval:ssg-object_64bit_ardm_fchmod_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||||
Record Events that Modify the System's Discretionary Access Controls - lchown
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown | ||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||
| Time | 2021-02-16T19:41:12 | ||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-27083-5 References: 5.2.10, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000172, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, RHEL-07-030390, SV-86725r4_rule, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940 | ||||||||||||||||||||||||
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod | ||||||||||||||||||||||||
| Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | ||||||||||||||||||||||||
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. | ||||||||||||||||||||||||
OVAL details audit augenrules 32-bit lchown failed because these items were missing:Object oval:ssg-object_32bit_ardm_lchown_augenrules:obj:1 of type textfilecontent54_object
audit augenrules 64-bit lchown failed because these items were missing:Object oval:ssg-object_64bit_ardm_lchown_augenrules:obj:1 of type textfilecontent54_object
audit auditctl 32-bit lchown failed because these items were missing:Object oval:ssg-object_32bit_ardm_lchown_auditctl:obj:1 of type textfilecontent54_object
audit auditctl 64-bit lchown failed because these items were missing:Object oval:ssg-object_64bit_ardm_lchown_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||||
Record Events that Modify the System's Discretionary Access Controls - fsetxattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr | ||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||
| Time | 2021-02-16T19:41:12 | ||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-27389-6 References: 5.2.10, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000172, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, RHEL-07-030450, SV-86737r4_rule, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940 | ||||||||||||||||||||||||
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod | ||||||||||||||||||||||||
| Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | ||||||||||||||||||||||||
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. | ||||||||||||||||||||||||
OVAL details audit augenrules 32-bit fsetxattr failed because these items were missing:Object oval:ssg-object_32bit_ardm_fsetxattr_augenrules:obj:1 of type textfilecontent54_object
audit augenrules 64-bit fsetxattr failed because these items were missing:Object oval:ssg-object_64bit_ardm_fsetxattr_augenrules:obj:1 of type textfilecontent54_object
audit auditctl 32-bit fsetxattr failed because these items were missing:Object oval:ssg-object_32bit_ardm_fsetxattr_auditctl:obj:1 of type textfilecontent54_object
audit auditctl 64-bit fsetxattr failed because these items were missing:Object oval:ssg-object_64bit_ardm_fsetxattr_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||||
Record Events that Modify the System's Discretionary Access Controls - lremovexattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr | ||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||
| Time | 2021-02-16T19:41:12 | ||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-27410-0 References: 5.2.10, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000172, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, RHEL-07-030490, SV-86745r4_rule, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940 | ||||||||||||||||||||||||
| Description | At a minimum, the audit system should collect file permission
changes for all users and root.
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod | ||||||||||||||||||||||||
| Rationale | The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. | ||||||||||||||||||||||||
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. | ||||||||||||||||||||||||
OVAL details audit augenrules 32-bit lremovexattr failed because these items were missing:Object oval:ssg-object_32bit_ardm_lremovexattr_augenrules:obj:1 of type textfilecontent54_object
audit augenrules 64-bit lremovexattr failed because these items were missing:Object oval:ssg-object_64bit_ardm_lremovexattr_augenrules:obj:1 of type textfilecontent54_object
audit auditctl 32-bit lremovexattr failed because these items were missing:Object oval:ssg-object_32bit_ardm_lremovexattr_auditctl:obj:1 of type textfilecontent54_object
audit auditctl 64-bit lremovexattr failed because these items were missing:Object oval:ssg-object_64bit_ardm_lremovexattr_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||||
Record Unsuccessful Access Attempts to Files - truncate
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Time | 2021-02-16T19:41:12 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80389-0 References: 5.2.10, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172, RHEL-07-030540, SV-86755r4_rule, SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details audit augenrules 32-bit file eacces failed because these items were missing:Object oval:ssg-object_32bit_arufm_eacces_truncate_augenrules:obj:1 of type textfilecontent54_object
audit augenrules 32-bit file eperm failed because these items were missing:Object oval:ssg-object_32bit_arufm_eperm_truncate_augenrules:obj:1 of type textfilecontent54_object
audit augenrules 64-bit file eacces failed because these items were missing:Object oval:ssg-object_64bit_arufm_eacces_truncate_augenrules:obj:1 of type textfilecontent54_object
audit augenrules 64-bit file eperm failed because these items were missing:Object oval:ssg-object_64bit_arufm_eperm_truncate_augenrules:obj:1 of type textfilecontent54_object
audit auditctl 32-bit file eacces failed because these items were missing:Object oval:ssg-object_32bit_arufm_eacces_truncate_auditctl:obj:1 of type textfilecontent54_object
audit auditctl 32-bit file eperm failed because these items were missing:Object oval:ssg-object_32bit_arufm_eperm_truncate_auditctl:obj:1 of type textfilecontent54_object
audit auditctl 64-bit file eacces failed because these items were missing:Object oval:ssg-object_64bit_arufm_eacces_truncate_auditctl:obj:1 of type textfilecontent54_object
audit auditctl 64-bit file eperm failed because these items were missing:Object oval:ssg-object_64bit_arufm_eperm_truncate_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Record Unsuccessful Access Attempts to Files - creat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Time | 2021-02-16T19:41:12 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80385-8 References: 5.2.10, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172, RHEL-07-030500, SV-86747r4_rule, SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details audit augenrules 32-bit file eacces failed because these items were missing:Object oval:ssg-object_32bit_arufm_eacces_creat_augenrules:obj:1 of type textfilecontent54_object
audit augenrules 32-bit file eperm failed because these items were missing:Object oval:ssg-object_32bit_arufm_eperm_creat_augenrules:obj:1 of type textfilecontent54_object
audit augenrules 64-bit file eacces failed because these items were missing:Object oval:ssg-object_64bit_arufm_eacces_creat_augenrules:obj:1 of type textfilecontent54_object
audit augenrules 64-bit file eperm failed because these items were missing:Object oval:ssg-object_64bit_arufm_eperm_creat_augenrules:obj:1 of type textfilecontent54_object
audit auditctl 32-bit file eacces failed because these items were missing:Object oval:ssg-object_32bit_arufm_eacces_creat_auditctl:obj:1 of type textfilecontent54_object
audit auditctl 32-bit file eperm failed because these items were missing:Object oval:ssg-object_32bit_arufm_eperm_creat_auditctl:obj:1 of type textfilecontent54_object
audit auditctl 64-bit file eacces failed because these items were missing:Object oval:ssg-object_64bit_arufm_eacces_creat_auditctl:obj:1 of type textfilecontent54_object
audit auditctl 64-bit file eperm failed because these items were missing:Object oval:ssg-object_64bit_arufm_eperm_creat_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Record Unsuccessful Access Attempts to Files - open
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Time | 2021-02-16T19:41:12 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80386-6 References: 5.2.10, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172, RHEL-07-030510, SV-86749r4_rule, SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details audit augenrules 32-bit file eacces failed because these items were missing:Object oval:ssg-object_32bit_arufm_eacces_open_augenrules:obj:1 of type textfilecontent54_object
audit augenrules 32-bit file eperm failed because these items were missing:Object oval:ssg-object_32bit_arufm_eperm_open_augenrules:obj:1 of type textfilecontent54_object
audit augenrules 64-bit file eacces failed because these items were missing:Object oval:ssg-object_64bit_arufm_eacces_open_augenrules:obj:1 of type textfilecontent54_object
audit augenrules 64-bit file eperm failed because these items were missing:Object oval:ssg-object_64bit_arufm_eperm_open_augenrules:obj:1 of type textfilecontent54_object
audit auditctl 32-bit file eacces failed because these items were missing:Object oval:ssg-object_32bit_arufm_eacces_open_auditctl:obj:1 of type textfilecontent54_object
audit auditctl 32-bit file eperm failed because these items were missing:Object oval:ssg-object_32bit_arufm_eperm_open_auditctl:obj:1 of type textfilecontent54_object
audit auditctl 64-bit file eacces failed because these items were missing:Object oval:ssg-object_64bit_arufm_eacces_open_auditctl:obj:1 of type textfilecontent54_object
audit auditctl 64-bit file eperm failed because these items were missing:Object oval:ssg-object_64bit_arufm_eperm_open_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Record Unsuccessful Access Attempts to Files - open_by_handle_at
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Time | 2021-02-16T19:41:12 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80388-2 References: 5.2.10, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172, RHEL-07-030530, SV-86753r4_rule, SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details audit augenrules 32-bit file eacces failed because these items were missing:Object oval:ssg-object_32bit_arufm_eacces_open_by_handle_at_augenrules:obj:1 of type textfilecontent54_object
audit augenrules 32-bit file eperm failed because these items were missing:Object oval:ssg-object_32bit_arufm_eperm_open_by_handle_at_augenrules:obj:1 of type textfilecontent54_object
audit augenrules 64-bit file eacces failed because these items were missing:Object oval:ssg-object_64bit_arufm_eacces_open_by_handle_at_augenrules:obj:1 of type textfilecontent54_object
audit augenrules 64-bit file eperm failed because these items were missing:Object oval:ssg-object_64bit_arufm_eperm_open_by_handle_at_augenrules:obj:1 of type textfilecontent54_object
audit auditctl 32-bit file eacces failed because these items were missing:Object oval:ssg-object_32bit_arufm_eacces_open_by_handle_at_auditctl:obj:1 of type textfilecontent54_object
audit auditctl 32-bit file eperm failed because these items were missing:Object oval:ssg-object_32bit_arufm_eperm_open_by_handle_at_auditctl:obj:1 of type textfilecontent54_object
audit auditctl 64-bit file eacces failed because these items were missing:Object oval:ssg-object_64bit_arufm_eacces_open_by_handle_at_auditctl:obj:1 of type textfilecontent54_object
audit auditctl 64-bit file eperm failed because these items were missing:Object oval:ssg-object_64bit_arufm_eperm_open_by_handle_at_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Record Unsuccessful Access Attempts to Files - ftruncate
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Time | 2021-02-16T19:41:12 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80390-8 References: 5.2.10, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172, RHEL-07-030550, SV-86757r4_rule, SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S ftruncate -F exiu=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details audit augenrules 32-bit file eacces failed because these items were missing:Object oval:ssg-object_32bit_arufm_eacces_ftruncate_augenrules:obj:1 of type textfilecontent54_object
audit augenrules 32-bit file eperm failed because these items were missing:Object oval:ssg-object_32bit_arufm_eperm_ftruncate_augenrules:obj:1 of type textfilecontent54_object
audit augenrules 64-bit file eacces failed because these items were missing:Object oval:ssg-object_64bit_arufm_eacces_ftruncate_augenrules:obj:1 of type textfilecontent54_object
audit augenrules 64-bit file eperm failed because these items were missing:Object oval:ssg-object_64bit_arufm_eperm_ftruncate_augenrules:obj:1 of type textfilecontent54_object
audit auditctl 32-bit file eacces failed because these items were missing:Object oval:ssg-object_32bit_arufm_eacces_ftruncate_auditctl:obj:1 of type textfilecontent54_object
audit auditctl 32-bit file eperm failed because these items were missing:Object oval:ssg-object_32bit_arufm_eperm_ftruncate_auditctl:obj:1 of type textfilecontent54_object
audit auditctl 64-bit file eacces failed because these items were missing:Object oval:ssg-object_64bit_arufm_eacces_ftruncate_auditctl:obj:1 of type textfilecontent54_object
audit auditctl 64-bit file eperm failed because these items were missing:Object oval:ssg-object_64bit_arufm_eperm_ftruncate_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Record Unsuccessful Access Attempts to Files - openat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Time | 2021-02-16T19:41:12 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80387-4 References: 5.2.10, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172, RHEL-07-030520, SV-86751r4_rule, SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details audit augenrules 32-bit file eacces failed because these items were missing:Object oval:ssg-object_32bit_arufm_eacces_openat_augenrules:obj:1 of type textfilecontent54_object
audit augenrules 32-bit file eperm failed because these items were missing:Object oval:ssg-object_32bit_arufm_eperm_openat_augenrules:obj:1 of type textfilecontent54_object
audit augenrules 64-bit file eacces failed because these items were missing:Object oval:ssg-object_64bit_arufm_eacces_openat_augenrules:obj:1 of type textfilecontent54_object
audit augenrules 64-bit file eperm failed because these items were missing:Object oval:ssg-object_64bit_arufm_eperm_openat_augenrules:obj:1 of type textfilecontent54_object
audit auditctl 32-bit file eacces failed because these items were missing:Object oval:ssg-object_32bit_arufm_eacces_openat_auditctl:obj:1 of type textfilecontent54_object
audit auditctl 32-bit file eperm failed because these items were missing:Object oval:ssg-object_32bit_arufm_eperm_openat_auditctl:obj:1 of type textfilecontent54_object
audit auditctl 64-bit file eacces failed because these items were missing:Object oval:ssg-object_64bit_arufm_eacces_openat_auditctl:obj:1 of type textfilecontent54_object
audit auditctl 64-bit file eperm failed because these items were missing:Object oval:ssg-object_64bit_arufm_eperm_openat_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Ensure auditd Collects File Deletion Events by User - rmdir
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir | ||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||
| Time | 2021-02-16T19:41:12 | ||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80412-0 References: 5.2.14, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000366, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, MA-4(1)(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172, RHEL-07-030900, SV-86827r4_rule, SRG-OS-000466-VMM-001870, SRG-OS-000468-VMM-001890 | ||||||||||||||||||||||||
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the -a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=deleteIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete | ||||||||||||||||||||||||
| Rationale | Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. | ||||||||||||||||||||||||
OVAL details audit augenrules 32-bit rmdir failed because these items were missing:Object oval:ssg-object_32bit_ardm_rmdir_augenrules:obj:1 of type textfilecontent54_object
audit augenrules 64-bit rmdir failed because these items were missing:Object oval:ssg-object_64bit_ardm_rmdir_augenrules:obj:1 of type textfilecontent54_object
audit auditctl 32-bit rmdir failed because these items were missing:Object oval:ssg-object_32bit_ardm_rmdir_auditctl:obj:1 of type textfilecontent54_object
audit auditctl 64-bit rmdir failed because these items were missing:Object oval:ssg-object_64bit_ardm_rmdir_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||||
Ensure auditd Collects File Deletion Events by User - unlinkat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat | ||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||
| Time | 2021-02-16T19:41:12 | ||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80662-0 References: 5.2.14, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000366, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, MA-4(1)(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172, RHEL-07-030920, SV-86831r4_rule, SRG-OS-000466-VMM-001870, SRG-OS-000468-VMM-001890 | ||||||||||||||||||||||||
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the -a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=deleteIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete | ||||||||||||||||||||||||
| Rationale | Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. | ||||||||||||||||||||||||
OVAL details audit augenrules 32-bit unlinkat failed because these items were missing:Object oval:ssg-object_32bit_ardm_unlinkat_augenrules:obj:1 of type textfilecontent54_object
audit augenrules 64-bit unlinkat failed because these items were missing:Object oval:ssg-object_64bit_ardm_unlinkat_augenrules:obj:1 of type textfilecontent54_object
audit auditctl 32-bit unlinkat failed because these items were missing:Object oval:ssg-object_32bit_ardm_unlinkat_auditctl:obj:1 of type textfilecontent54_object
audit auditctl 64-bit unlinkat failed because these items were missing:Object oval:ssg-object_64bit_ardm_unlinkat_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||||
Ensure auditd Collects File Deletion Events by User - rename
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename | ||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||
| Time | 2021-02-16T19:41:12 | ||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80995-4 References: 5.2.14, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000366, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, MA-4(1)(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172, RHEL-07-030880, SV-86823r4_rule, SRG-OS-000466-VMM-001870, SRG-OS-000468-VMM-001890 | ||||||||||||||||||||||||
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the -a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=deleteIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete | ||||||||||||||||||||||||
| Rationale | Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. | ||||||||||||||||||||||||
OVAL details audit augenrules 32-bit rename failed because these items were missing:Object oval:ssg-object_32bit_ardm_rename_augenrules:obj:1 of type textfilecontent54_object
audit augenrules 64-bit rename failed because these items were missing:Object oval:ssg-object_64bit_ardm_rename_augenrules:obj:1 of type textfilecontent54_object
audit auditctl 32-bit rename failed because these items were missing:Object oval:ssg-object_32bit_ardm_rename_auditctl:obj:1 of type textfilecontent54_object
audit auditctl 64-bit rename failed because these items were missing:Object oval:ssg-object_64bit_ardm_rename_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||||
Ensure auditd Collects File Deletion Events by User - renameat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat | ||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||
| Time | 2021-02-16T19:41:12 | ||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80413-8 References: 5.2.14, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000366, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, MA-4(1)(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172, RHEL-07-030890, SV-86825r4_rule, SRG-OS-000466-VMM-001870, SRG-OS-000468-VMM-001890 | ||||||||||||||||||||||||
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the -a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=deleteIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete | ||||||||||||||||||||||||
| Rationale | Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. | ||||||||||||||||||||||||
OVAL details audit augenrules 32-bit renameat failed because these items were missing:Object oval:ssg-object_32bit_ardm_renameat_augenrules:obj:1 of type textfilecontent54_object
audit augenrules 64-bit renameat failed because these items were missing:Object oval:ssg-object_64bit_ardm_renameat_augenrules:obj:1 of type textfilecontent54_object
audit auditctl 32-bit renameat failed because these items were missing:Object oval:ssg-object_32bit_ardm_renameat_auditctl:obj:1 of type textfilecontent54_object
audit auditctl 64-bit renameat failed because these items were missing:Object oval:ssg-object_64bit_ardm_renameat_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||||
Ensure auditd Collects File Deletion Events by User - unlink
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink | ||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||
| Time | 2021-02-16T19:41:12 | ||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80996-2 References: 5.2.14, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000366, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, MA-4(1)(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172, RHEL-07-030910, SV-86829r4_rule, SRG-OS-000466-VMM-001870, SRG-OS-000468-VMM-001890 | ||||||||||||||||||||||||
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the -a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=deleteIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete | ||||||||||||||||||||||||
| Rationale | Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. | ||||||||||||||||||||||||
OVAL details audit augenrules 32-bit unlink failed because these items were missing:Object oval:ssg-object_32bit_ardm_unlink_augenrules:obj:1 of type textfilecontent54_object
audit augenrules 64-bit unlink failed because these items were missing:Object oval:ssg-object_64bit_ardm_unlink_augenrules:obj:1 of type textfilecontent54_object
audit auditctl 32-bit unlink failed because these items were missing:Object oval:ssg-object_32bit_ardm_unlink_auditctl:obj:1 of type textfilecontent54_object
audit auditctl 64-bit unlink failed because these items were missing:Object oval:ssg-object_64bit_ardm_unlink_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||||
Ensure auditd Collects Information on the Use of Privileged Commands
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands | ||||||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||||||
| Time | 2021-02-16T19:43:28 | ||||||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-27437-3 References: 5.2.10, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO08.04, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.05, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-002234, 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.5, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.3.4.5.9, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 3.9, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.1, A.16.1.2, A.16.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.3, A.6.2.1, A.6.2.2, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-2(4), AU-6(9), AU-12(a), AU-12(c), IR-5, DE.AE-2, DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, DE.DP-4, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, RS.CO-2, Req-10.2.2, SRG-OS-000327-GPOS-00127, RHEL-07-030360, SV-86719r6_rule, SRG-OS-000471-VMM-001910 | ||||||||||||||||||||||||||||
| Description | At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/nullIf the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add a line of
the following form to a file with suffix .rules in the directory
/etc/audit/rules.d for each setuid / setgid program on the system,
replacing the SETUID_PROG_PATH part with the full path of that setuid /
setgid program in the list:
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changesIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules for each setuid / setgid program on the
system, replacing the SETUID_PROG_PATH part with the full path of that
setuid / setgid program in the list:
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes | ||||||||||||||||||||||||||||
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threast.
| ||||||||||||||||||||||||||||
| Warnings | warning
This rule checks for multiple syscalls related to privileged commands;
it was written with DISA STIG in mind. Other policies should use a
separate rule for each syscall that needs to be checked. For example:
| ||||||||||||||||||||||||||||
OVAL details audit augenrules suid sgid failed because these items were missing:Object oval:ssg-object_arpc_suid_sgid_augenrules:obj:1 of type textfilecontent54_object
State oval:ssg-state_audit_rules_privileged_commands:ste:1 of type textfilecontent54_state
audit augenrules binaries count matches rules count failed because of these items:
audit auditctl suid sgid failed because these items were missing:Object oval:ssg-object_arpc_suid_sgid_auditctl:obj:1 of type textfilecontent54_object
State oval:ssg-state_audit_rules_privileged_commands:ste:1 of type textfilecontent54_state
audit auditctl binaries count matches rules count failed because of these items:
| |||||||||||||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||||||||
Ensure auditd Collects System Administrator Actions
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions | ||||||||||||
| Result | fail | ||||||||||||
| Time | 2021-02-16T19:43:28 | ||||||||||||
| Severity | medium | ||||||||||||
| Identifiers and References | Identifiers: CCE-27461-3 References: 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AC-2(7)(b), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-3(1), AU-12(a), AU-12(c), IR-5, DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.2, Req-10.2.5.b, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, RHEL-07-030700, SV-86787r5_rule, SRG-OS-000462-VMM-001840, SRG-OS-000471-VMM-001910 | ||||||||||||
| Description | At a minimum, the audit system should collect administrator actions
for all users and root. If the -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actionsIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions | ||||||||||||
| Rationale | The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes. | ||||||||||||
OVAL details audit augenrules sudoers failed because these items were missing:Object oval:ssg-object_audit_rules_sysadmin_actions_sudoers_augenrules:obj:1 of type textfilecontent54_object
audit auditctl sudoers failed because these items were missing:Object oval:ssg-object_audit_rules_sysadmin_actions_sudoers_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||
Remediation Shell script: (show) | |||||||||||||
Record Events that Modify the System's Network Environment
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification | ||||||||||||||||||||||||||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||||||||||||||||||||||||||
| Time | 2021-02-16T19:43:28 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-27076-9 References: 5.2.6, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.5.5 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description | If the -a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modificationIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification | ||||||||||||||||||||||||||||||||||||||||||||||||
| Rationale | The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited. | ||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details audit /etc/issue augenrules failed because these items were missing:Object oval:ssg-object_arnm_etc_issue_augenrules:obj:1 of type textfilecontent54_object
audit /etc/issue.net augenrules failed because these items were missing:Object oval:ssg-object_arnm_etc_issue_net_augenrules:obj:1 of type textfilecontent54_object
audit /etc/hosts augenrules failed because these items were missing:Object oval:ssg-object_arnm_etc_hosts_augenrules:obj:1 of type textfilecontent54_object
audit /etc/sysconfig/network augenrules failed because these items were missing:Object oval:ssg-object_arnm_etc_sysconfig_network_augenrules:obj:1 of type textfilecontent54_object
audit /etc/issue auditctl failed because these items were missing:Object oval:ssg-object_arnm_etc_issue_auditctl:obj:1 of type textfilecontent54_object
audit /etc/issue.net auditctl failed because these items were missing:Object oval:ssg-object_arnm_etc_issue_net_auditctl:obj:1 of type textfilecontent54_object
audit /etc/hosts auditctl failed because these items were missing:Object oval:ssg-object_arnm_etc_hosts_auditctl:obj:1 of type textfilecontent54_object
audit /etc/sysconfig/network auditctl failed because these items were missing:Object oval:ssg-object_arnm_etc_sysconfig_network_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||||||||||||||||||||||||||||||||
Ensure auditd Collects Information on Exporting to Media (successful)
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_media_export | ||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||
| Time | 2021-02-16T19:43:28 | ||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-27447-2 References: 5.2.13, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000135, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-3(1), AU-12(a), AU-12(c), IR-5, DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.2.7, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, RHEL-07-030740, SV-86795r6_rule | ||||||||||||||||||||||||
| Description | At a minimum, the audit system should collect media exportation
events for all users and root. If the -a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=exportIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export | ||||||||||||||||||||||||
| Rationale | The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss. | ||||||||||||||||||||||||
OVAL details audit augenrules mount 32-bit failed because these items were missing:Object oval:ssg-object_audit_rules_media_export_mount_augenrules:obj:1 of type textfilecontent54_object
audit augenrules mount 64-bit failed because these items were missing:Object oval:ssg-object_64bit_ardm_media_export_mount_augenrules:obj:1 of type textfilecontent54_object
audit auditctl mount 32-bit failed because these items were missing:Object oval:ssg-object_audit_rules_media_export_mount_auditctl:obj:1 of type textfilecontent54_object
audit auditctl mount 64-bit failed because these items were missing:Object oval:ssg-object_64bit_ardm_media_export_mount_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||||||||
Make the auditd Configuration Immutable
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_immutable | ||||||||||||
| Result | fail | ||||||||||||
| Time | 2021-02-16T19:43:28 | ||||||||||||
| Severity | medium | ||||||||||||
| Identifiers and References | Identifiers: CCE-27097-5 References: 4.1.18, 1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO01.06, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.4.3, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.310(a)(2)(iv), 164.312(d), 164.310(d)(2)(iii), 164.312(b), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-6, AU-1(b), AU-2(a), AU-2(c), AU-2(d), IR-5, DE.AE-3, DE.AE-5, ID.SC-4, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5.2 | ||||||||||||
| Description | If the -e 2If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file in order to make the auditd configuration
immutable:
-e 2With this setting, a reboot will be required to change any audit rules. | ||||||||||||
| Rationale | Making the audit configuration immutable prevents accidental as well as malicious modification of the audit rules, although it may be problematic if legitimate changes are needed during system operation | ||||||||||||
OVAL details audit augenrules configuration locked failed because these items were missing:Object oval:ssg-object_ari_locked_augenrules:obj:1 of type textfilecontent54_object
audit auditctl configuration locked failed because these items were missing:Object oval:ssg-object_ari_locked_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||
Remediation Shell script: (show) | |||||||||||||
Record Events that Modify User/Group Information - /etc/shadow
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow | ||||||||||||
| Result | fail | ||||||||||||
| Time | 2021-02-16T19:43:28 | ||||||||||||
| Severity | medium | ||||||||||||
| Identifiers and References | Identifiers: CCE-80431-0 References: 5.2.5, 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AC-2(4), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, SRG-OS-000004-GPOS-00004, RHEL-07-030873, SV-87823r4_rule, SRG-OS-000004-VMM-000040, SRG-OS-000239-VMM-000810, SRG-OS-000240-VMM-000820, SRG-OS-000241-VMM-000830, SRG-OS-000274-VMM-000960, SRG-OS-000275-VMM-000970, SRG-OS-000276-VMM-000980, SRG-OS-000277-VMM-000990, SRG-OS-000303-VMM-001090, SRG-OS-000304-VMM-001100, SRG-OS-000476-VMM-001960 | ||||||||||||
| Description | If the -w /etc/shadow -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/shadow -p wa -k audit_rules_usergroup_modification | ||||||||||||
| Rationale | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. | ||||||||||||
OVAL details audit augenrules shadow failed because these items were missing:Object oval:ssg-object_audit_rules_usergroup_modification_shadow_augen:obj:1 of type textfilecontent54_object
audit shadow failed because these items were missing:Object oval:ssg-object_audit_rules_usergroup_modification_shadow_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||
Remediation Shell script: (show) | |||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||
Record Attempts to Alter Process and Session Initiation Information
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_session_events | ||||||||||||||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||||||||||||||
| Time | 2021-02-16T19:43:28 | ||||||||||||||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-27301-1 References: 5.2.9, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.3 | ||||||||||||||||||||||||||||||||||||
| Description | The audit system already collects process information for all
users and root. If the -w /var/run/utmp -p wa -k session -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k sessionIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for attempted manual
edits of files involved in storing such process information:
-w /var/run/utmp -p wa -k session -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k session | ||||||||||||||||||||||||||||||||||||
| Rationale | Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. | ||||||||||||||||||||||||||||||||||||
OVAL details audit augenrules utmp failed because these items were missing:Object oval:ssg-object_arse_utmp_augenrules:obj:1 of type textfilecontent54_object
audit augenrules btmp failed because these items were missing:Object oval:ssg-object_arse_btmp_augenrules:obj:1 of type textfilecontent54_object
audit augenrules wtmp failed because these items were missing:Object oval:ssg-object_arse_wtmp_augenrules:obj:1 of type textfilecontent54_object
audit auditctl utmp failed because these items were missing:Object oval:ssg-object_arse_utmp_auditctl:obj:1 of type textfilecontent54_object
audit auditctl btmp failed because these items were missing:Object oval:ssg-object_arse_btmp_auditctl:obj:1 of type textfilecontent54_object
audit auditctl wtmp failed because these items were missing:Object oval:ssg-object_arse_wtmp_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||||||||||||||||||||
Record Events that Modify User/Group Information - /etc/security/opasswd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd | ||||||||||||
| Result | fail | ||||||||||||
| Time | 2021-02-16T19:43:28 | ||||||||||||
| Severity | medium | ||||||||||||
| Identifiers and References | Identifiers: CCE-80430-2 References: 5.2.5, 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AC-2(4), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, SRG-OS-000003-GPOS-00004, RHEL-07-030874, SV-87825r5_rule, SRG-OS-000004-VMM-000040, SRG-OS-000239-VMM-000810, SRG-OS-000240-VMM-000820, SRG-OS-000241-VMM-000830, SRG-OS-000274-VMM-000960, SRG-OS-000275-VMM-000970, SRG-OS-000276-VMM-000980, SRG-OS-000277-VMM-000990, SRG-OS-000303-VMM-001090, SRG-OS-000304-VMM-001100, SRG-OS-000476-VMM-001960 | ||||||||||||
| Description | If the -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification | ||||||||||||
| Rationale | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. | ||||||||||||
OVAL details audit augenrules opasswd failed because these items were missing:Object oval:ssg-object_audit_rules_usergroup_modification_opasswd_augen:obj:1 of type textfilecontent54_object
audit opasswd failed because these items were missing:Object oval:ssg-object_audit_rules_usergroup_modification_opasswd_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||
Remediation Shell script: (show) | |||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||
Record Events that Modify the System's Mandatory Access Controls
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_mac_modification | ||||||||||||
| Result | fail | ||||||||||||
| Time | 2021-02-16T19:43:28 | ||||||||||||
| Severity | medium | ||||||||||||
| Identifiers and References | Identifiers: CCE-27168-4 References: 5.2.7, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.8, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5 | ||||||||||||
| Description | If the -w /etc/selinux/ -p wa -k MAC-policyIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-w /etc/selinux/ -p wa -k MAC-policy | ||||||||||||
| Rationale | The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited. | ||||||||||||
OVAL details audit selinux changes augenrules failed because these items were missing:Object oval:ssg-object_armm_selinux_watch_augenrules:obj:1 of type textfilecontent54_object
audit selinux changes auditctl failed because these items were missing:Object oval:ssg-object_armm_selinux_watch_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||
Remediation Shell script: (show) | |||||||||||||
Record Events that Modify User/Group Information - /etc/gshadow
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow | ||||||||||||
| Result | fail | ||||||||||||
| Time | 2021-02-16T19:43:28 | ||||||||||||
| Severity | medium | ||||||||||||
| Identifiers and References | Identifiers: CCE-80432-8 References: 5.2.5, 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AC-2(4), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, SRG-OS-000004-GPOS-00004, RHEL-07-030872, SV-87819r4_rule, SRG-OS-000004-VMM-000040, SRG-OS-000239-VMM-000810, SRG-OS-000240-VMM-000820, SRG-OS-000241-VMM-000830, SRG-OS-000274-VMM-000960, SRG-OS-000275-VMM-000970, SRG-OS-000276-VMM-000980, SRG-OS-000277-VMM-000990, SRG-OS-000303-VMM-001090, SRG-OS-000304-VMM-001100, SRG-OS-000476-VMM-001960 | ||||||||||||
| Description | If the -w /etc/gshadow -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification | ||||||||||||
| Rationale | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. | ||||||||||||
OVAL details audit augenrules gshadow failed because these items were missing:Object oval:ssg-object_audit_rules_usergroup_modification_gshadow_augen:obj:1 of type textfilecontent54_object
audit gshadow failed because these items were missing:Object oval:ssg-object_audit_rules_usergroup_modification_gshadow_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||
Remediation Shell script: (show) | |||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||
Record Events that Modify User/Group Information - /etc/passwd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd | ||||||||||||
| Result | fail | ||||||||||||
| Time | 2021-02-16T19:43:28 | ||||||||||||
| Severity | medium | ||||||||||||
| Identifiers and References | Identifiers: CCE-80435-1 References: 5.2.5, 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AC-2(4), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221, RHEL-07-030870, SV-86821r5_rule, SRG-OS-000004-VMM-000040, SRG-OS-000239-VMM-000810, SRG-OS-000240-VMM-000820, SRG-OS-000241-VMM-000830, SRG-OS-000274-VMM-000960, SRG-OS-000275-VMM-000970, SRG-OS-000276-VMM-000980, SRG-OS-000277-VMM-000990, SRG-OS-000303-VMM-001090, SRG-OS-000304-VMM-001100, SRG-OS-000476-VMM-001960 | ||||||||||||
| Description | If the -w /etc/passwd -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/passwd -p wa -k audit_rules_usergroup_modification | ||||||||||||
| Rationale | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. | ||||||||||||
OVAL details audit augenrules passwd failed because these items were missing:Object oval:ssg-object_audit_rules_usergroup_modification_passwd_augen:obj:1 of type textfilecontent54_object
audit passwd failed because these items were missing:Object oval:ssg-object_audit_rules_usergroup_modification_passwd_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||
Remediation Shell script: (show) | |||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||
Record Events that Modify User/Group Information - /etc/group
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group | ||||||||||||
| Result | fail | ||||||||||||
| Time | 2021-02-16T19:43:28 | ||||||||||||
| Severity | medium | ||||||||||||
| Identifiers and References | Identifiers: CCE-80433-6 References: 5.2.5, 1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AC-2(4), AC-17(7), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-12(a), AU-12(c), IR-5, DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, SRG-OS-000004-GPOS-00004, RHEL-07-030871, SV-87817r3_rule, SRG-OS-000004-VMM-000040, SRG-OS-000239-VMM-000810, SRG-OS-000240-VMM-000820, SRG-OS-000241-VMM-000830, SRG-OS-000274-VMM-000960, SRG-OS-000275-VMM-000970, SRG-OS-000276-VMM-000980, SRG-OS-000277-VMM-000990, SRG-OS-000303-VMM-001090, SRG-OS-000304-VMM-001100, SRG-OS-000476-VMM-001960 | ||||||||||||
| Description | If the -w /etc/group -p wa -k audit_rules_usergroup_modification If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, in order to capture events that modify
account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification | ||||||||||||
| Rationale | In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. | ||||||||||||
OVAL details audit augenrules group failed because these items were missing:Object oval:ssg-object_audit_rules_usergroup_modification_group_augen:obj:1 of type textfilecontent54_object
audit group failed because these items were missing:Object oval:ssg-object_audit_rules_usergroup_modification_group_auditctl:obj:1 of type textfilecontent54_object
| |||||||||||||
Remediation Shell script: (show) | |||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||
Enable Auditing for Processes Which Start Prior to the Audit Daemon
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_audit_argument | ||||||||||||
| Result | fail | ||||||||||||
| Time | 2021-02-16T19:43:28 | ||||||||||||
| Severity | medium | ||||||||||||
| Identifiers and References | Identifiers: CCE-27212-0 References: 4.1.3, 1, 11, 12, 13, 14, 15, 16, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.02, DSS05.03, DSS05.04, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, CCI-001464, CCI-000130, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(1), AU-14(1), AU-1(b), AU-2(a), AU-2(c), AU-2(d), AU-10, AU-12, IR-5, DE.AE-3, DE.AE-5, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.3, SRG-OS-000254-VMM-000880 | ||||||||||||
| Description | To ensure all processes can be audited, even those which start
prior to the audit daemon, add the argument GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 audit=1" | ||||||||||||
| Rationale | Each process on the system carries an "auditable" flag which indicates whether
its activities can be audited. Although | ||||||||||||
| Warnings | warning
The GRUB 2 configuration file, grub.cfg,
is automatically updated each time a new kernel is installed. Note that any
changes to /etc/default/grub require rebuilding the grub.cfg
file. To update the GRUB 2 configuration file manually, use the
grub2-mkconfig -ocommand as follows:
| ||||||||||||
OVAL details check for audit=1 in /etc/default/grub via GRUB_CMDLINE_LINUX failed because of these items:
check for audit=1 in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT failed because these items were missing:Object oval:ssg-object_grub2_audit_argument_default:obj:1 of type textfilecontent54_object
State oval:ssg-state_grub2_audit_argument:ste:1 of type textfilecontent54_state
| |||||||||||||
Remediation Shell script: (show) | |||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||
Enable auditd Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_auditd_enabled | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Result | pass | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Time | 2021-02-16T19:43:28 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Severity | high | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-27407-6 References: 4.1.2, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-2(g), AU-3, AC-17(1), AU-1(b), AU-10, AU-12(a), AU-12(c), AU-14(1), IR-5, DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.1, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000042-GPOS-00021, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, RHEL-07-030000, SV-86703r3_rule, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description | The $ sudo systemctl enable auditd.service | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Rationale | Without establishing what type of events occurred, it would be difficult
to establish, correlate, and investigate the events leading up to an outage or attack.
Ensuring the | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details Test that the auditd service is running passed because of these items:
systemd test passed because of these items:
systemd test passed because of these items:
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Verify User Who Owns shadow File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etc_shadow | ||||||||||||
| Result | pass | ||||||||||||
| Time | 2021-02-16T19:43:28 | ||||||||||||
| Severity | medium | ||||||||||||
| Identifiers and References | Identifiers: CCE-82022-5 References: NT28(R36), 6.1.3, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-6, PR.AC-4, PR.DS-5, Req-8.7.c | ||||||||||||
| Description | To properly set the owner of $ sudo chown root /etc/shadow | ||||||||||||
| Rationale | The | ||||||||||||
OVAL details Testing user ownership of /etc/shadow passed because of these items:
| |||||||||||||
Verify User Who Owns group File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etc_group | ||||||||||||
| Result | pass | ||||||||||||
| Time | 2021-02-16T19:43:28 | ||||||||||||
| Severity | medium | ||||||||||||
| Identifiers and References | Identifiers: CCE-82031-6 References: 6.1.4, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-6, PR.AC-4, PR.DS-5, Req-8.7.c | ||||||||||||
| Description | To properly set the owner of $ sudo chown root /etc/group | ||||||||||||
| Rationale | The | ||||||||||||
OVAL details Testing user ownership of /etc/group passed because of these items:
| |||||||||||||
Verify Group Who Owns gshadow File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow | ||||||||||||
| Result | pass | ||||||||||||
| Time | 2021-02-16T19:43:28 | ||||||||||||
| Severity | medium | ||||||||||||
| Identifiers and References | Identifiers: CCE-82025-8 References: 6.1.5, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-6, PR.AC-4, PR.DS-5 | ||||||||||||
| Description | To properly set the group owner of $ sudo chgrp root /etc/gshadow | ||||||||||||
| Rationale | The | ||||||||||||
OVAL details Testing group ownership of /etc/gshadow passed because of these items:
| |||||||||||||
Verify Group Who Owns passwd File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd | ||||||||||||
| Result | pass | ||||||||||||
| Time | 2021-02-16T19:43:28 | ||||||||||||
| Severity | medium | ||||||||||||
| Identifiers and References | Identifiers: CCE-26639-5 References: 6.1.2, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-6, PR.AC-4, PR.DS-5, Req-8.7.c | ||||||||||||
| Description | To properly set the group owner of $ sudo chgrp root /etc/passwd | ||||||||||||
| Rationale | The | ||||||||||||
OVAL details Testing group ownership of /etc/passwd passed because of these items:
| |||||||||||||
Verify Group Who Owns shadow File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow | ||||||||||||
| Result | pass | ||||||||||||
| Time | 2021-02-16T19:43:28 | ||||||||||||
| Severity | medium | ||||||||||||
| Identifiers and References | Identifiers: CCE-82051-4 References: 6.1.3, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-6, PR.AC-4, PR.DS-5, Req-8.7.c | ||||||||||||
| Description | To properly set the group owner of $ sudo chgrp root /etc/shadow | ||||||||||||
| Rationale | The | ||||||||||||
OVAL details Testing group ownership of /etc/shadow passed because of these items:
| |||||||||||||
Verify User Who Owns gshadow File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow | ||||||||||||
| Result | pass | ||||||||||||
| Time | 2021-02-16T19:43:28 | ||||||||||||
| Severity | medium | ||||||||||||
| Identifiers and References | Identifiers: CCE-82195-9 References: NT28(R36), 6.1.5, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-6, PR.AC-4, PR.DS-5 | ||||||||||||
| Description | To properly set the owner of $ sudo chown root /etc/gshadow | ||||||||||||
| Rationale | The | ||||||||||||
OVAL details Testing user ownership of /etc/gshadow passed because of these items:
| |||||||||||||
Verify Group Who Owns group File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etc_group | ||||||||||||
| Result | pass | ||||||||||||
| Time | 2021-02-16T19:43:28 | ||||||||||||
| Severity | medium | ||||||||||||
| Identifiers and References | Identifiers: CCE-82037-3 References: 6.1.4, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-6, PR.AC-4, PR.DS-5, Req-8.7.c | ||||||||||||
| Description | To properly set the group owner of $ sudo chgrp root /etc/group | ||||||||||||
| Rationale | The | ||||||||||||
OVAL details Testing group ownership of /etc/group passed because of these items:
| |||||||||||||
Verify User Who Owns passwd File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etc_passwd | ||||||||||||
| Result | pass | ||||||||||||
| Time | 2021-02-16T19:43:28 | ||||||||||||
| Severity | medium | ||||||||||||
| Identifiers and References | Identifiers: CCE-82052-2 References: 6.1.2, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-6, PR.AC-4, PR.DS-5, Req-8.7.c | ||||||||||||
| Description | To properly set the owner of $ sudo chown root /etc/passwd | ||||||||||||
| Rationale | The | ||||||||||||
OVAL details Testing user ownership of /etc/passwd passed because of these items:
| |||||||||||||
Ensure All Files Are Owned by a User
| Rule ID | xccdf_org.ssgproject.content_rule_no_files_unowned_by_user | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Time | 2021-02-16T19:55:12 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80134-0 References: 6.1.11, 11, 12, 13, 14, 15, 16, 18, 3, 5, 9, APO01.06, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, CCI-002165, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-3(4), AC-6, CM-6(b), PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-07-020320, SV-86631r3_rule | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description | If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Rationale | Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details Check user ids on all files on the system failed because of these items:
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Verify that All World-Writable Directories Have Sticky Bits Set
| Rule ID | xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Time | 2021-02-16T19:58:02 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80130-8 References: 1.1.21, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-6, PR.AC-4, PR.DS-5 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description | When the so-called 'sticky bit' is set on a directory,
only the owner of a given file may remove that file from the
directory. Without the sticky bit, any user with write access to a
directory may remove any file in the directory. Setting the sticky
bit prevents users from removing each other's files. In cases where
there is no reason for a directory to be world-writable, a better
solution is to remove that permission rather than to set the sticky
bit. However, if a directory is used by a particular application,
consult that application's documentation instead of blindly
changing modes.
$ sudo chmod +t DIR | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Rationale | Failing to set the sticky bit on public directories allows unauthorized
users to delete files in the directory structure.
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details all local world-writable directories have sticky bit set failed because of these items:
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Disable the Automounter
| Rule ID | xccdf_org.ssgproject.content_rule_service_autofs_disabled | ||||||||||||||||||
| Result | pass | ||||||||||||||||||
| Time | 2021-02-16T20:02:15 | ||||||||||||||||||
| Severity | medium | ||||||||||||||||||
| Identifiers and References | Identifiers: CCE-27498-5 References: 1.1.22, 1, 12, 15, 16, 5, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.4.6, CCI-000366, CCI-000778, CCI-001958, 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, AC-19(a), AC-19(d), AC-19(e), IA-3, PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227, RHEL-07-020110, SV-86609r2_rule | ||||||||||||||||||
| Description | The $ sudo systemctl disable autofs.serviceThe autofs service can be masked with the following command:
$ sudo systemctl mask autofs.service | ||||||||||||||||||
| Rationale | Disabling the automounter permits the administrator to
statically control filesystem mounting through | ||||||||||||||||||
OVAL details Test that the autofs service is not running passed because these items were not found:Object oval:ssg-obj_service_not_running_autofs:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_not_running_autofs:ste:1 of type systemdunitproperty_state
Test that the property LoadState from the service autofs is masked passed because these items were not found:Object oval:ssg-obj_service_loadstate_is_masked_autofs:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_loadstate_is_masked_autofs:ste:1 of type systemdunitproperty_state
Test that the property FragmentPath from the service autofs is set to /dev/null passed because these items were not found:Object oval:ssg-obj_service_fragmentpath_is_dev_null_autofs:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_fragmentpath_is_dev_null_autofs:ste:1 of type systemdunitproperty_state
| |||||||||||||||||||
Disable Mounting of cramfs
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Time | 2021-02-16T20:02:15 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Severity | low | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80137-3 References: 1.1.1.1, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.4.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7, PR.IP-1, PR.PT-3 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description |
To configure the system to prevent the install cramfs /bin/trueThis effectively prevents usage of this uncommon filesystem. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Rationale | Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details kernel module cramfs disabled failed because these items were missing:Object oval:ssg-obj_kernmod_cramfs_disabled:obj:1 of type textfilecontent54_object
kernel module cramfs disabled in /etc/modprobe.conf failed because these items were missing:Object oval:ssg-obj_kernmod_cramfs_modprobeconf:obj:1 of type textfilecontent54_object
kernel module cramfs disabled in /etc/modules-load.d failed because these items were missing:Object oval:ssg-obj_kernmod_cramfs_etcmodules-load:obj:1 of type textfilecontent54_object
kernel module cramfs disabled in /run/modules-load.d failed because these items were missing:Object oval:ssg-obj_kernmod_cramfs_runmodules-load:obj:1 of type textfilecontent54_object
kernel module cramfs disabled in /usr/lib/modules-load.d failed because these items were missing:Object oval:ssg-obj_kernmod_cramfs_libmodules-load:obj:1 of type textfilecontent54_object
kernel module cramfs disabled in /run/modprobe.d failed because these items were missing:Object oval:ssg-obj_kernmod_cramfs_runmodprobed:obj:1 of type textfilecontent54_object
kernel module cramfs disabled in /usr/lib/modprobe.d failed because these items were missing:Object oval:ssg-obj_kernmod_cramfs_libmodprobed:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Shell script: (show)
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||
Disable Mounting of squashfs
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Time | 2021-02-16T20:02:15 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Severity | low | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80142-3 References: 1.1.1.6, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.4.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7, PR.IP-1, PR.PT-3 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description |
To configure the system to prevent the install squashfs /bin/trueThis effectively prevents usage of this uncommon filesystem. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Rationale | Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details kernel module squashfs disabled failed because these items were missing:Object oval:ssg-obj_kernmod_squashfs_disabled:obj:1 of type textfilecontent54_object
kernel module squashfs disabled in /etc/modprobe.conf failed because these items were missing:Object oval:ssg-obj_kernmod_squashfs_modprobeconf:obj:1 of type textfilecontent54_object
kernel module squashfs disabled in /etc/modules-load.d failed because these items were missing:Object oval:ssg-obj_kernmod_squashfs_etcmodules-load:obj:1 of type textfilecontent54_object
kernel module squashfs disabled in /run/modules-load.d failed because these items were missing:Object oval:ssg-obj_kernmod_squashfs_runmodules-load:obj:1 of type textfilecontent54_object
kernel module squashfs disabled in /usr/lib/modules-load.d failed because these items were missing:Object oval:ssg-obj_kernmod_squashfs_libmodules-load:obj:1 of type textfilecontent54_object
kernel module squashfs disabled in /run/modprobe.d failed because these items were missing:Object oval:ssg-obj_kernmod_squashfs_runmodprobed:obj:1 of type textfilecontent54_object
kernel module squashfs disabled in /usr/lib/modprobe.d failed because these items were missing:Object oval:ssg-obj_kernmod_squashfs_libmodprobed:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Shell script: (show)
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||
Disable Mounting of hfsplus
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_hfsplus_disabled | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Time | 2021-02-16T20:02:15 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Severity | low | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80141-5 References: 1.1.1.5, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.4.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7, PR.IP-1, PR.PT-3 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description |
To configure the system to prevent the install hfsplus /bin/trueThis effectively prevents usage of this uncommon filesystem. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Rationale | Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details kernel module hfsplus disabled failed because these items were missing:Object oval:ssg-obj_kernmod_hfsplus_disabled:obj:1 of type textfilecontent54_object
kernel module hfsplus disabled in /etc/modprobe.conf failed because these items were missing:Object oval:ssg-obj_kernmod_hfsplus_modprobeconf:obj:1 of type textfilecontent54_object
kernel module hfsplus disabled in /etc/modules-load.d failed because these items were missing:Object oval:ssg-obj_kernmod_hfsplus_etcmodules-load:obj:1 of type textfilecontent54_object
kernel module hfsplus disabled in /run/modules-load.d failed because these items were missing:Object oval:ssg-obj_kernmod_hfsplus_runmodules-load:obj:1 of type textfilecontent54_object
kernel module hfsplus disabled in /usr/lib/modules-load.d failed because these items were missing:Object oval:ssg-obj_kernmod_hfsplus_libmodules-load:obj:1 of type textfilecontent54_object
kernel module hfsplus disabled in /run/modprobe.d failed because these items were missing:Object oval:ssg-obj_kernmod_hfsplus_runmodprobed:obj:1 of type textfilecontent54_object
kernel module hfsplus disabled in /usr/lib/modprobe.d failed because these items were missing:Object oval:ssg-obj_kernmod_hfsplus_libmodprobed:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Shell script: (show)
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||
Disable Mounting of jffs2
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_jffs2_disabled | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Time | 2021-02-16T20:02:15 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Severity | low | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80139-9 References: 1.1.1.3, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.4.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7, PR.IP-1, PR.PT-3 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description |
To configure the system to prevent the install jffs2 /bin/trueThis effectively prevents usage of this uncommon filesystem. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Rationale | Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details kernel module jffs2 disabled failed because these items were missing:Object oval:ssg-obj_kernmod_jffs2_disabled:obj:1 of type textfilecontent54_object
kernel module jffs2 disabled in /etc/modprobe.conf failed because these items were missing:Object oval:ssg-obj_kernmod_jffs2_modprobeconf:obj:1 of type textfilecontent54_object
kernel module jffs2 disabled in /etc/modules-load.d failed because these items were missing:Object oval:ssg-obj_kernmod_jffs2_etcmodules-load:obj:1 of type textfilecontent54_object
kernel module jffs2 disabled in /run/modules-load.d failed because these items were missing:Object oval:ssg-obj_kernmod_jffs2_runmodules-load:obj:1 of type textfilecontent54_object
kernel module jffs2 disabled in /usr/lib/modules-load.d failed because these items were missing:Object oval:ssg-obj_kernmod_jffs2_libmodules-load:obj:1 of type textfilecontent54_object
kernel module jffs2 disabled in /run/modprobe.d failed because these items were missing:Object oval:ssg-obj_kernmod_jffs2_runmodprobed:obj:1 of type textfilecontent54_object
kernel module jffs2 disabled in /usr/lib/modprobe.d failed because these items were missing:Object oval:ssg-obj_kernmod_jffs2_libmodprobed:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Shell script: (show)
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||
Disable Mounting of hfs
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Time | 2021-02-16T20:02:15 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Severity | low | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80140-7 References: 1.1.1.4, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.4.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7, PR.IP-1, PR.PT-3 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description |
To configure the system to prevent the install hfs /bin/trueThis effectively prevents usage of this uncommon filesystem. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Rationale | Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details kernel module hfs disabled failed because these items were missing:Object oval:ssg-obj_kernmod_hfs_disabled:obj:1 of type textfilecontent54_object
kernel module hfs disabled in /etc/modprobe.conf failed because these items were missing:Object oval:ssg-obj_kernmod_hfs_modprobeconf:obj:1 of type textfilecontent54_object
kernel module hfs disabled in /etc/modules-load.d failed because these items were missing:Object oval:ssg-obj_kernmod_hfs_etcmodules-load:obj:1 of type textfilecontent54_object
kernel module hfs disabled in /run/modules-load.d failed because these items were missing:Object oval:ssg-obj_kernmod_hfs_runmodules-load:obj:1 of type textfilecontent54_object
kernel module hfs disabled in /usr/lib/modules-load.d failed because these items were missing:Object oval:ssg-obj_kernmod_hfs_libmodules-load:obj:1 of type textfilecontent54_object
kernel module hfs disabled in /run/modprobe.d failed because these items were missing:Object oval:ssg-obj_kernmod_hfs_runmodprobed:obj:1 of type textfilecontent54_object
kernel module hfs disabled in /usr/lib/modprobe.d failed because these items were missing:Object oval:ssg-obj_kernmod_hfs_libmodprobed:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Shell script: (show)
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||
Disable Mounting of udf
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_udf_disabled | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Time | 2021-02-16T20:02:15 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Severity | low | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80143-1 References: 1.1.1.7, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.4.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7, PR.IP-1, PR.PT-3 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description |
To configure the system to prevent the install udf /bin/trueThis effectively prevents usage of this uncommon filesystem. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Rationale | Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details kernel module udf disabled failed because these items were missing:Object oval:ssg-obj_kernmod_udf_disabled:obj:1 of type textfilecontent54_object
kernel module udf disabled in /etc/modprobe.conf failed because these items were missing:Object oval:ssg-obj_kernmod_udf_modprobeconf:obj:1 of type textfilecontent54_object
kernel module udf disabled in /etc/modules-load.d failed because these items were missing:Object oval:ssg-obj_kernmod_udf_etcmodules-load:obj:1 of type textfilecontent54_object
kernel module udf disabled in /run/modules-load.d failed because these items were missing:Object oval:ssg-obj_kernmod_udf_runmodules-load:obj:1 of type textfilecontent54_object
kernel module udf disabled in /usr/lib/modules-load.d failed because these items were missing:Object oval:ssg-obj_kernmod_udf_libmodules-load:obj:1 of type textfilecontent54_object
kernel module udf disabled in /run/modprobe.d failed because these items were missing:Object oval:ssg-obj_kernmod_udf_runmodprobed:obj:1 of type textfilecontent54_object
kernel module udf disabled in /usr/lib/modprobe.d failed because these items were missing:Object oval:ssg-obj_kernmod_udf_libmodprobed:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Shell script: (show)
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||
Disable Mounting of freevxfs
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_freevxfs_disabled | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Time | 2021-02-16T20:02:15 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Severity | low | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80138-1 References: 1.1.1.2, 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.4.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7, PR.IP-1, PR.PT-3 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description |
To configure the system to prevent the install freevxfs /bin/trueThis effectively prevents usage of this uncommon filesystem. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Rationale | Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details kernel module freevxfs disabled failed because these items were missing:Object oval:ssg-obj_kernmod_freevxfs_disabled:obj:1 of type textfilecontent54_object
kernel module freevxfs disabled in /etc/modprobe.conf failed because these items were missing:Object oval:ssg-obj_kernmod_freevxfs_modprobeconf:obj:1 of type textfilecontent54_object
kernel module freevxfs disabled in /etc/modules-load.d failed because these items were missing:Object oval:ssg-obj_kernmod_freevxfs_etcmodules-load:obj:1 of type textfilecontent54_object
kernel module freevxfs disabled in /run/modules-load.d failed because these items were missing:Object oval:ssg-obj_kernmod_freevxfs_runmodules-load:obj:1 of type textfilecontent54_object
kernel module freevxfs disabled in /usr/lib/modules-load.d failed because these items were missing:Object oval:ssg-obj_kernmod_freevxfs_libmodules-load:obj:1 of type textfilecontent54_object
kernel module freevxfs disabled in /run/modprobe.d failed because these items were missing:Object oval:ssg-obj_kernmod_freevxfs_runmodprobed:obj:1 of type textfilecontent54_object
kernel module freevxfs disabled in /usr/lib/modprobe.d failed because these items were missing:Object oval:ssg-obj_kernmod_freevxfs_libmodprobed:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Shell script: (show)
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||
Disable Core Dumps for SUID programs
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable | ||||||||
| Result | fail | ||||||||
| Time | 2021-02-16T20:02:15 | ||||||||
| Severity | medium | ||||||||
| Identifiers and References | Identifiers: CCE-26900-1 References: NT28(R23), 1.5.1, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), SI-11 | ||||||||
| Description | To set the runtime status of the $ sudo sysctl -w fs.suid_dumpable=0If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: fs.suid_dumpable = 0 | ||||||||
| Rationale | The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data. | ||||||||
Remediation Shell script: (show)
| |||||||||
Remediation Ansible snippet: (show)
| |||||||||
Disable Core Dumps for All Users
| Rule ID | xccdf_org.ssgproject.content_rule_disable_users_coredumps | ||||||||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||||||||
| Time | 2021-02-16T20:02:15 | ||||||||||||||||||||||||||||
| Severity | unknown | ||||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80169-6 References: 1.5.1, 1, 12, 13, 15, 16, 2, 7, 8, APO13.01, BAI04.04, DSS01.03, DSS03.05, DSS05.07, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.17.2.1, DE.CM-1, PR.DS-4 | ||||||||||||||||||||||||||||
| Description | To disable core dumps for all users, add the following line to
* hard core 0 | ||||||||||||||||||||||||||||
| Rationale | A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. | ||||||||||||||||||||||||||||
OVAL details Tests the value of the ^[\s]*\*[\s]+(hard|-)[\s]+core[\s]+([\d]+) setting in the /etc/security/limits.d directory failed because these items were missing:Object oval:ssg-object_core_dumps_limits_d:obj:1 of type textfilecontent54_object
State oval:ssg-state_core_dumps_limits_d:ste:1 of type textfilecontent54_state
Tests for existance of the ^[\s]*\*[\s]+(hard|-)[\s]+core setting in the /etc/security/limits.d directory failed because these items were missing:Object oval:ssg-object_core_dumps_limits_d_exists:obj:1 of type textfilecontent54_object
State oval:ssg-state_core_dumps_limits_d_exists:ste:1 of type textfilecontent54_state
Tests the value of the ^[\s]*\*[\s]+(hard|-)[\s]+core[\s]+([\d]+) setting in the /etc/security/limits.conf file failed because these items were missing:Object oval:ssg-object_core_dumps_limitsconf:obj:1 of type textfilecontent54_object
State oval:ssg-state_core_dumps_limitsconf:ste:1 of type textfilecontent54_state
| |||||||||||||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||||||||
Enable ExecShield via sysctl
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield | ||||||||||||||||||||||||||
| Result | pass | ||||||||||||||||||||||||||
| Time | 2021-02-16T20:02:15 | ||||||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-27211-2 References: 1.5.2, 12, 15, 8, APO13.01, DSS05.02, 3.1.7, CCI-002530, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, SC-39, PR.PT-4 | ||||||||||||||||||||||||||
| Description | By default on Red Hat Enterprise Linux 7 64-bit systems, ExecShield is
enabled and can only be disabled if the hardware does not support
ExecShield or is disabled in | ||||||||||||||||||||||||||
| Rationale | ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places a process's memory regions such as the stack and heap higher than this address, the hardware prevents execution in that address range. This is enabled by default on the latest Red Hat and Fedora systems if supported by the hardware. | ||||||||||||||||||||||||||
OVAL details kernel runtime parameter kernel.exec-shield set to 1 passed because these items were not found:Object oval:ssg-object_sysctl_kernel_exec_shield:obj:1 of type sysctl_object
State oval:ssg-state_sysctl_kernel_exec_shield:ste:1 of type sysctl_state
kernel.exec-shield static configuration passed because these items were not found:Object oval:ssg-object_static_sysctl_kernel_exec_shield:obj:1 of type textfilecontent54_object
kernel runtime parameter kernel.exec-shield set to 1 passed because these items were not found:Object oval:ssg-object_sysctl_kernel_exec_shield:obj:1 of type sysctl_object
State oval:ssg-state_sysctl_kernel_exec_shield:ste:1 of type sysctl_state
kernel.exec-shield static configuration passed because these items were not found:Object oval:ssg-object_static_sysctl_kernel_exec_shield:obj:1 of type textfilecontent54_object
NX is disabled passed because these items were not found:Object oval:ssg-object_nx_disabled_grub:obj:1 of type textfilecontent54_object
| |||||||||||||||||||||||||||
Enable Randomized Layout of Virtual Address Space
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space | ||||||||
| Result | fail | ||||||||
| Time | 2021-02-16T20:02:15 | ||||||||
| Severity | medium | ||||||||
| Identifiers and References | Identifiers: CCE-27127-0 References: NT28(R23), 1.5.1, 3.1.7, CCI-000366, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), SC-30(2), SC-39, SRG-OS-000480-GPOS-00227, RHEL-07-040201, SV-92521r2_rule | ||||||||
| Description | To set the runtime status of the $ sudo sysctl -w kernel.randomize_va_space=2If this is not the system default value, add the following line to a file in the directory /etc/sysctl.d: kernel.randomize_va_space = 2 | ||||||||
| Rationale | Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques. | ||||||||
Remediation Shell script: (show)
| |||||||||
Remediation Ansible snippet: (show)
| |||||||||
Add noexec Option to /dev/shm
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec | ||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||
| Time | 2021-02-16T20:02:15 | ||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80153-0 References: 1.1.17, 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CM-7, MP-2, PR.IP-1, PR.PT-2, PR.PT-3 | ||||||||||||||||||||||
| Description | The | ||||||||||||||||||||||
| Rationale | Allowing users to execute binaries from world-writable directories
such as | ||||||||||||||||||||||
OVAL details noexec on /dev/shm failed because of these items:
| |||||||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||
Add nodev Option to /tmp
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev | ||||||
| Result | fail | ||||||
| Time | 2021-02-16T20:02:15 | ||||||
| Severity | unknown | ||||||
| Identifiers and References | Identifiers: CCE-80149-8 References: NT28(R12), 1.1.3, 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CM-7, MP-2, PR.IP-1, PR.PT-2, PR.PT-3 | ||||||
| Description | The | ||||||
| Rationale | The only legitimate location for device files is the | ||||||
OVAL details nodev on /tmp failed because these items were missing:Object oval:ssg-object_tmp_partition_nodev:obj:1 of type partition_object
State oval:ssg-state_tmp_partition_nodev:ste:1 of type partition_state
| |||||||
Remediation Shell script: (show) | |||||||
Remediation Ansible snippet: (show)
| |||||||
Add nosuid Option to /tmp
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid | ||||||
| Result | fail | ||||||
| Time | 2021-02-16T20:02:15 | ||||||
| Severity | unknown | ||||||
| Identifiers and References | Identifiers: CCE-80151-4 References: NT28(R12), 1.1.4, 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CM-7, MP-2, PR.IP-1, PR.PT-2, PR.PT-3 | ||||||
| Description | The | ||||||
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions. | ||||||
OVAL details nosuid on /tmp failed because these items were missing:Object oval:ssg-object_tmp_partition_nosuid:obj:1 of type partition_object
State oval:ssg-state_tmp_partition_nosuid:ste:1 of type partition_state
| |||||||
Remediation Shell script: (show) | |||||||
Remediation Ansible snippet: (show)
| |||||||
Add nodev Option to Removable Media Partitions
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_nodev_removable_partitions | ||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||
| Time | 2021-02-16T20:02:15 | ||||||||||||||||||||||
| Severity | unknown | ||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80146-4 References: 1.1.18, 11, 12, 13, 14, 16, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.06, DSS05.07, DSS06.03, DSS06.06, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.7.1.1, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, A.9.2.1, AC-19(a), AC-19(d), AC-19(e), CM-7, MP-2, PR.AC-3, PR.AC-6, PR.IP-1, PR.PT-2, PR.PT-3 | ||||||||||||||||||||||
| Description | The | ||||||||||||||||||||||
| Rationale | The only legitimate location for device files is the | ||||||||||||||||||||||
OVAL details 'nodev' mount option used for at least one CD / DVD drive alternative names in /etc/fstab failed because of these items:
'nodev' mount option used for at least one CD / DVD drive alternative names in runtime configuration failed because these items were missing:Object oval:ssg-object_nodev_runtime_cd_dvd_drive:obj:1 of type partition_object
Check if removable partition is configured with 'nodev' mount option in /etc/fstab failed because these items were missing:Object oval:ssg-object_nodev_etc_fstab_not_cd_dvd_drive:obj:1 of type textfilecontent54_object
State oval:ssg-state_nodev_etc_fstab_not_cd_dvd_drive:ste:1 of type textfilecontent54_state
'nodev' mount option used for removable partition in runtime configuration failed because these items were missing:Object oval:ssg-object_nodev_runtime_not_cd_dvd_drive:obj:1 of type partition_object
| |||||||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||
Add nodev Option to /home
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_home_nodev | ||||||
| Result | fail | ||||||
| Time | 2021-02-16T20:02:15 | ||||||
| Severity | unknown | ||||||
| Identifiers and References | Identifiers: CCE-81047-3 | ||||||
| Description | The | ||||||
| Rationale | The only legitimate location for device files is the | ||||||
OVAL details nodev on /home failed because these items were missing:Object oval:ssg-object_home_partition_nodev:obj:1 of type partition_object
State oval:ssg-state_home_partition_nodev:ste:1 of type partition_state
| |||||||
Remediation Shell script: (show) | |||||||
Remediation Ansible snippet: (show)
| |||||||
Remediation Anaconda snippet: (show)
| |||||||
Add nosuid Option to /var/tmp
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid | ||||||
| Result | fail | ||||||
| Time | 2021-02-16T20:02:15 | ||||||
| Severity | unknown | ||||||
| Identifiers and References | Identifiers: CCE-82153-8 | ||||||
| Description | The | ||||||
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions. | ||||||
OVAL details nosuid on /var/tmp failed because these items were missing:Object oval:ssg-object_var_tmp_partition_nosuid:obj:1 of type partition_object
State oval:ssg-state_var_tmp_partition_nosuid:ste:1 of type partition_state
| |||||||
Remediation Shell script: (show) | |||||||
Remediation Ansible snippet: (show)
| |||||||
Remediation Anaconda snippet: (show)
| |||||||
Add nodev Option to /dev/shm
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev | ||||||||||||||||||||||
| Result | pass | ||||||||||||||||||||||
| Time | 2021-02-16T20:02:15 | ||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80152-2 References: 1.1.15, 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CM-7, MP-2, PR.IP-1, PR.PT-2, PR.PT-3 | ||||||||||||||||||||||
| Description | The | ||||||||||||||||||||||
| Rationale | The only legitimate location for device files is the | ||||||||||||||||||||||
OVAL details nodev on /dev/shm passed because of these items:
| |||||||||||||||||||||||
Add nosuid Option to /dev/shm
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid | ||||||||||||||||||||||
| Result | pass | ||||||||||||||||||||||
| Time | 2021-02-16T20:02:15 | ||||||||||||||||||||||
| Severity | medium | ||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80154-8 References: 1.1.16, 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CM-7, MP-2, PR.IP-1, PR.PT-2, PR.PT-3 | ||||||||||||||||||||||
| Description | The | ||||||||||||||||||||||
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions. | ||||||||||||||||||||||
OVAL details nosuid on /dev/shm passed because of these items:
| |||||||||||||||||||||||
Add noexec Option to /tmp
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec | ||||||
| Result | fail | ||||||
| Time | 2021-02-16T20:02:15 | ||||||
| Severity | unknown | ||||||
| Identifiers and References | Identifiers: CCE-80150-6 References: NT28(R12), 1.1.5, 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CM-7, MP-2, PR.IP-1, PR.PT-2, PR.PT-3 | ||||||
| Description | The | ||||||
| Rationale | Allowing users to execute binaries from world-writable directories
such as | ||||||
OVAL details noexec on /tmp failed because these items were missing:Object oval:ssg-object_tmp_partition_noexec:obj:1 of type partition_object
State oval:ssg-state_tmp_partition_noexec:ste:1 of type partition_state
| |||||||
Remediation Shell script: (show) | |||||||
Remediation Ansible snippet: (show)
| |||||||
Add nodev Option to /var/tmp
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev | ||||||
| Result | fail | ||||||
| Time | 2021-02-16T20:02:15 | ||||||
| Severity | unknown | ||||||
| Identifiers and References | Identifiers: CCE-81052-3 | ||||||
| Description | The | ||||||
| Rationale | The only legitimate location for device files is the | ||||||
OVAL details nodev on /var/tmp failed because these items were missing:Object oval:ssg-object_var_tmp_partition_nodev:obj:1 of type partition_object
State oval:ssg-state_var_tmp_partition_nodev:ste:1 of type partition_state
| |||||||
Remediation Shell script: (show) | |||||||
Remediation Ansible snippet: (show)
| |||||||
Remediation Anaconda snippet: (show)
| |||||||
Add nosuid Option to Removable Media Partitions
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions | ||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||
| Time | 2021-02-16T20:02:15 | ||||||||||||||||||||||
| Severity | unknown | ||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80148-0 References: 1.1.19, 11, 12, 13, 14, 15, 16, 18, 3, 5, 8, 9, APO01.06, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.06, DSS05.07, DSS06.02, DSS06.03, DSS06.06, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.11.2.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-6, AC-19(a), AC-19(d), AC-19(e), CM-7, MP-2, PR.AC-3, PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-07-021010, SV-86667r2_rule | ||||||||||||||||||||||
| Description | The | ||||||||||||||||||||||
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Allowing users to introduce SUID or SGID binaries from partitions mounted off of removable media would allow them to introduce their own highly-privileged programs. | ||||||||||||||||||||||
OVAL details 'nosuid' mount option used for at least one CD / DVD drive alternative names in /etc/fstab failed because of these items:
'nosuid' mount option used for at least one CD / DVD drive alternative names in runtime configuration failed because these items were missing:Object oval:ssg-object_nosuid_runtime_cd_dvd_drive:obj:1 of type partition_object
Check if removable partition is configured with 'nosuid' mount option in /etc/fstab failed because these items were missing:Object oval:ssg-object_nosuid_etc_fstab_not_cd_dvd_drive:obj:1 of type textfilecontent54_object
State oval:ssg-state_nosuid_etc_fstab_not_cd_dvd_drive:ste:1 of type textfilecontent54_state
'nosuid' mount option used for removable partition in runtime configuration failed because these items were missing:Object oval:ssg-object_nosuid_runtime_not_cd_dvd_drive:obj:1 of type partition_object
| |||||||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||
Add noexec Option to Removable Media Partitions
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions | ||||||||||||||||||||||
| Result | fail | ||||||||||||||||||||||
| Time | 2021-02-16T20:02:15 | ||||||||||||||||||||||
| Severity | unknown | ||||||||||||||||||||||
| Identifiers and References | Identifiers: CCE-80147-2 References: 1.1.20, 11, 12, 13, 14, 16, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.06, DSS05.07, DSS06.03, DSS06.06, CCI-000087, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.7.1.1, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, A.9.2.1, AC-19(a), AC-19(d), AC-19(e), CM-7, MP-2, PR.AC-3, PR.AC-6, PR.IP-1, PR.PT-2, PR.PT-3 | ||||||||||||||||||||||
| Description | The | ||||||||||||||||||||||
| Rationale | Allowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise. | ||||||||||||||||||||||
OVAL details 'noexec' mount option used for at least one CD / DVD drive alternative names in /etc/fstab failed because of these items:
'noexec' mount option used for at least one CD / DVD drive alternative names in runtime configuration failed because these items were missing:Object oval:ssg-object_noexec_runtime_cd_dvd_drive:obj:1 of type partition_object
Check if removable partition is configured with 'noexec' mount option in /etc/fstab failed because these items were missing:Object oval:ssg-object_noexec_etc_fstab_not_cd_dvd_drive:obj:1 of type textfilecontent54_object
State oval:ssg-state_noexec_etc_fstab_not_cd_dvd_drive:ste:1 of type textfilecontent54_state
'noexec' mount option used for removable partition in runtime configuration failed because these items were missing:Object oval:ssg-object_noexec_runtime_not_cd_dvd_drive:obj:1 of type partition_object
| |||||||||||||||||||||||
Remediation Shell script: (show) | |||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||
Add noexec Option to /var/tmp
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec | ||||||
| Result | fail | ||||||
| Time | 2021-02-16T20:02:15 | ||||||
| Severity | unknown | ||||||
| Identifiers and References | Identifiers: CCE-82150-4 | ||||||
| Description | The | ||||||
| Rationale | Allowing users to execute binaries from world-writable directories
such as | ||||||
OVAL details noexec on /var/tmp failed because these items were missing:Object oval:ssg-object_var_tmp_partition_noexec:obj:1 of type partition_object
State oval:ssg-state_var_tmp_partition_noexec:ste:1 of type partition_state
| |||||||
Remediation Shell script: (show) | |||||||
Remediation Ansible snippet: (show)
| |||||||
Remediation Anaconda snippet: (show)
| |||||||